lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20070709034840.7C78122825@mailserver9.hushmail.com>
Date: Sun, 08 Jul 2007 21:48:39 -0600
From: "jt5944-27a" <jt5944@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: Re: EXPLOITS FOR SALE (AUCTION SITE)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 08 Jul 2007 19:27:58 -0600 George Ou
<george_ou@...architect.net> wrote:
>Michal,
>
>I completely agree with you about the ethics of
>selling exploits to the black-market.  However,
>there needs to be a reasonable alternative to
>working for a "thank you" from the vendor.  Very
>knowledgeable people who spend their valuable
>time tracking down bugs deserve to be able to
>make a living and they deserve to get paid.  If
>there were a reasonable finder's fee paid by the
>vendor, then a lot of conscionable researchers
>will go the legitimate route even if they can
>make more money selling it to the black-market.
>
>George

thank you? okay - thank you for creating this wonderful software
that we use. thank you for listening to our defect requests and
thank you for addressing them in a meaningful time frame. but thank
you for finding bugs? are you on drugs?

they didnt ask you to look for defects. this sounds like those
people who paint house numbers on your curb and then want to be
paid even through you never said to paint the numbers. or those
windshield washers who want you to pay them for smearing your
window when you didnt ask for it. the only people who should be
paid to find vulnerabilities are the people asked to find
vulnerabilities.

should we pay burglars for breaking into our homes? and what about
open source projects? should nonprofit groups be forced to pay for
defects that they never asked people to look for? if they dont pay
then should we stop looking?

companies that pay for exploits are honest about it. zdi and vcp
let their customers know about risks before the rest of the world.
the bounty comes from their customer registration fees. customers
pay to hear about exploits first.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkaRr68ACgkQiDw0BWMaDTHTzQQAhkTq/SkybDeO0z2GYAQHYjOQaTOw
rkVGR6NP0JxiFSugNSw4mqW2CoaRr1LG0zsO56+qBkfcsxZW5Mp6nHpyT8YHkfDBhkb7
74C/hOCenGX5cXsTn1SKahBlSEsA+WSJ8CGcaFyloKvpMBMjpChzNM53UDmL5s1FDb6v
Jc3adNk=
=NKl+
-----END PGP SIGNATURE-----

--
Bills adding up?? Click here for free information on payday loans.
http://tagline.hushmail.com/fc/Ioyw6h4d80lDdADlxQMmdKKAkx3ixbvIa1bH0RAe2vkhQhjetVB1Be/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ