| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 Jul 2007 20:54:35 +0200 (CEST) From: Michal Zalewski <lcamtuf@...ne.ids.pl> To: wac <waldoalvarez00@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: EXPLOITS FOR SALE (AUCTION SITE) On Sun, 8 Jul 2007, wac wrote: > Is more noble to reward hard to do work that also requires a lot of > knowledge which sometimes people does even takes time to even say "thank > you". Vulnerability research is good. Getting paid for research is good. Holding vendors accountable is good. Yet, secretly trading intellectual property, keeping it under wraps for months or years to maximize buyer's ROI, and not giving a second thought as to why would a shady foreigner pay $50,000 for an _exploit_ they have no legitimate use for, pretty much stands against *all* the core values of the hacker culture - a culture to which this field of research owes quite a bit. Yeah, it can be done. It might be legal by itself, too - though I'm sure the moment your code is used for malicious purposes (or simply against your government), if it can be shown you willfully ignored the clearly dubious nature of the transaction, a charge of being accessory to crime won't be far off. Still, legal or not, it's not exactly something to be too proud of on this list. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists