[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <026601c7c1c8$62b900e0$282b02a0$@net>
Date: Sun, 8 Jul 2007 18:27:58 -0700
From: "George Ou" <george_ou@...architect.net>
To: "'Michal Zalewski'" <lcamtuf@...ne.ids.pl>,
"'wac'" <waldoalvarez00@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: EXPLOITS FOR SALE (AUCTION SITE)
Michal,
I completely agree with you about the ethics of selling exploits to the
black-market. However, there needs to be a reasonable alternative to
working for a "thank you" from the vendor. Very knowledgeable people who
spend their valuable time tracking down bugs deserve to be able to make a
living and they deserve to get paid. If there were a reasonable finder's
fee paid by the vendor, then a lot of conscionable researchers will go the
legitimate route even if they can make more money selling it to the
black-market.
George
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Michal
Zalewski
Sent: Sunday, July 08, 2007 11:55 AM
To: wac
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] EXPLOITS FOR SALE (AUCTION SITE)
On Sun, 8 Jul 2007, wac wrote:
> Is more noble to reward hard to do work that also requires a lot of
> knowledge which sometimes people does even takes time to even say "thank
> you".
Vulnerability research is good. Getting paid for research is good. Holding
vendors accountable is good.
Yet, secretly trading intellectual property, keeping it under wraps for
months or years to maximize buyer's ROI, and not giving a second thought
as to why would a shady foreigner pay $50,000 for an _exploit_ they have
no legitimate use for, pretty much stands against *all* the core values of
the hacker culture - a culture to which this field of research owes quite
a bit.
Yeah, it can be done. It might be legal by itself, too - though I'm sure
the moment your code is used for malicious purposes (or simply against
your government), if it can be shown you willfully ignored the clearly
dubious nature of the transaction, a charge of being accessory to crime
won't be far off.
Still, legal or not, it's not exactly something to be too proud of on this
list.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists