lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4734C169.8020708@snosoft.com>
Date: Fri, 09 Nov 2007 15:22:01 -0500
From: Simon Smith <simon@...soft.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Exploit Brokering

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ This email is in response to all of the emails that I see with people
trying to broker exploits by advertising them on full disclosure and
other public mailing lists. ]

SNOsoft has been legitimately and legally brokering exploits since early
2000, and we're still doing it very successfully. As a matter of policy
we will not ever purchase items from careless developers, and will not
sell to careless buyers or non US based buyers... With exploit brokering
comes great responsibility and liability.

People posting emails in public forums in an attempt to sell exploits is
not only careless and irresponsible, but is also a testament to that
persons immaturity and lack of experience. Do they ever stop to think
about the potential liability? What happens if they sell to a hostile
foreign party, what could happen to them, etc...?

I think that there is a legitimate market for Exploit Brokering when it
is done properly (ethically and legally). I think that in that market
the developers should adhere to strict rules and not cross certain
boundaries. I also think that the responsible and ethical developers
should be paid fair value for their time, instead of a pathetic maximum
of $5,000.00 for a high grade item. Think about it, the average QA
Engineer makes more money per bug than the higher talent security
researcher. There's something wrong with that.

The solution to that problem is not to sell exploits to just anyone in a
public forum. That introduces too much liability to the developer,
especially if the buyer is illegitimate or hostile. The solution is to
work with legitimate established businesses in a confidential and
responsible manner.

Unfortunately for those developers that are trying to sell exploits in
public forum, their chances of working with legitimate businesses are
gone. No way will any of the legitimate Exploit Brokers ever purchase an
item from an irresponsible developer. Its just a matter of time till
laws get passed and they end up getting thrown in jail for selling
weaponized exploits to the wrong people.

- --

- - simon

- ----------------------
http://www.snosoft.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFHNMFmf3Elv1PhzXgRAiVyAKCgKIhDLpqjkOK+Ndu+JHol2F7s1ACfbXFa
1Ju3+ZCeSWeDisUigMs1FY0=
=uA7p
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ