lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <13608.131.182.179.153.1176310787.squirrel@slashmail.org>
Date: Wed, 11 Apr 2007 11:59:47 -0500 (EST)
From: "Steven Adair" <steven@...urityzone.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Vulnerability Purchasing Program Questions

Greetings,

I would like to see if I could get the community's take on these
vulnerability purchasing programs such as those offered by iDefense and
3COM.  There have been previous discussions that I have seen on the lists
surrounding poor monetary offerings of one program versus that of another.
 I've also seen people come out and mention they are affiliated with some
program that will offer money for these vulnerabilities.  This has lead me
to a few questions.

- Is there a general consensus as to what program is the best? I would
imagine this primarily centers on monetary offerings, but I suppose there
could be other considerations.

- If I normally work with vendors and disclosure vulnerabilities for free,
why would I not use one of these programs?  I am making the assumption
that we are working with a legitimate and responsible buyer.  I have no
intentions to sell to shady buyers/foreign governments/etc and would like
to keep the assumption the buyer is legitimate.

- Do we know that the buyers are always legitimate and responsible?  Has
anyone ever suspected wrongdoing or felt they have been wronged by one of
the more popular and "legitimate" buying services?  For example, a
submission that was rejected by either party ended up being released by
the vendor anyway or integrated into their product.

- Any general comments on these sort of programs that are strong towards
one way or the other?

Thanks,

Steven
securityzone.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ