| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20070709034840.7C78122825@mailserver9.hushmail.com> Date: Sun, 08 Jul 2007 21:48:39 -0600 From: "jt5944-27a" <jt5944@...hmail.com> To: <full-disclosure@...ts.grok.org.uk> Cc: Subject: Re: EXPLOITS FOR SALE (AUCTION SITE) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 08 Jul 2007 19:27:58 -0600 George Ou <george_ou@...architect.net> wrote: >Michal, > >I completely agree with you about the ethics of >selling exploits to the black-market. However, >there needs to be a reasonable alternative to >working for a "thank you" from the vendor. Very >knowledgeable people who spend their valuable >time tracking down bugs deserve to be able to >make a living and they deserve to get paid. If >there were a reasonable finder's fee paid by the >vendor, then a lot of conscionable researchers >will go the legitimate route even if they can >make more money selling it to the black-market. > >George thank you? okay - thank you for creating this wonderful software that we use. thank you for listening to our defect requests and thank you for addressing them in a meaningful time frame. but thank you for finding bugs? are you on drugs? they didnt ask you to look for defects. this sounds like those people who paint house numbers on your curb and then want to be paid even through you never said to paint the numbers. or those windshield washers who want you to pay them for smearing your window when you didnt ask for it. the only people who should be paid to find vulnerabilities are the people asked to find vulnerabilities. should we pay burglars for breaking into our homes? and what about open source projects? should nonprofit groups be forced to pay for defects that they never asked people to look for? if they dont pay then should we stop looking? companies that pay for exploits are honest about it. zdi and vcp let their customers know about risks before the rest of the world. the bounty comes from their customer registration fees. customers pay to hear about exploits first. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkaRr68ACgkQiDw0BWMaDTHTzQQAhkTq/SkybDeO0z2GYAQHYjOQaTOw rkVGR6NP0JxiFSugNSw4mqW2CoaRr1LG0zsO56+qBkfcsxZW5Mp6nHpyT8YHkfDBhkb7 74C/hOCenGX5cXsTn1SKahBlSEsA+WSJ8CGcaFyloKvpMBMjpChzNM53UDmL5s1FDb6v Jc3adNk= =NKl+ -----END PGP SIGNATURE----- -- Bills adding up?? Click here for free information on payday loans. http://tagline.hushmail.com/fc/Ioyw6h4d80lDdADlxQMmdKKAkx3ixbvIa1bH0RAe2vkhQhjetVB1Be/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists