| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4691AD24.7080301@bellsouth.net> Date: Sun, 08 Jul 2007 23:36:04 -0400 From: scott <redhowlingwolves@...lsouth.net> To: full-disclosure@...ts.grok.org.uk Subject: Re: EXPLOITS FOR SALE (AUCTION SITE) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree on most of these points.It seems that researchers don't get back what they put in. At the same time,you can't expect to get rich off finding exploits,either. The security industry,as a whole,needs to get on the bandwagon of how far the envelope needs to be pushed in this direction. Who,what,where and how, the found vulnerabilities are reported needs to be defined in some definite way. ROFL,I can't believe I said that with a straight face!!? But seriously.I would not sell any vuln I have found--as far as looking to make it a full time job--to someone else,simply because they might make a name for themselves using my work. Anonymous works well for me,at this time anyway. Regards, Scott George Ou wrote: > Michal, > > I completely agree with you about the ethics of selling exploits to the > black-market. However, there needs to be a reasonable alternative to > working for a "thank you" from the vendor. Very knowledgeable people who > spend their valuable time tracking down bugs deserve to be able to make a > living and they deserve to get paid. If there were a reasonable finder's > fee paid by the vendor, then a lot of conscionable researchers will go the > legitimate route even if they can make more money selling it to the > black-market. > > George > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk > [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Michal > Zalewski > Sent: Sunday, July 08, 2007 11:55 AM > To: wac > Cc: full-disclosure@...ts.grok.org.uk > Subject: Re: [Full-disclosure] EXPLOITS FOR SALE (AUCTION SITE) > > On Sun, 8 Jul 2007, wac wrote: > >> Is more noble to reward hard to do work that also requires a lot of >> knowledge which sometimes people does even takes time to even say "thank >> you". > > Vulnerability research is good. Getting paid for research is good. Holding > vendors accountable is good. > > Yet, secretly trading intellectual property, keeping it under wraps for > months or years to maximize buyer's ROI, and not giving a second thought > as to why would a shady foreigner pay $50,000 for an _exploit_ they have > no legitimate use for, pretty much stands against *all* the core values of > the hacker culture - a culture to which this field of research owes quite > a bit. > > Yeah, it can be done. It might be legal by itself, too - though I'm sure > the moment your code is used for malicious purposes (or simply against > your government), if it can be shown you willfully ignored the clearly > dubious nature of the transaction, a charge of being accessory to crime > won't be far off. > > Still, legal or not, it's not exactly something to be too proud of on this > list. > > /mz > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGka0jelSgjADJQKsRAjXSAJ9jygmvOGPgjXLNBwK/ri7ZNbKmqgCfV5+2 SYcxLxgjn0sj4k4xhFQ5sFs= =UfBt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists