Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Exploit Brokering
From: jf <jf () danglingpointers net>
Date: Sat, 10 Nov 2007 04:37:48 +0000 (UTC)


When the first word in the first sentence in a communique is a company
name, you should take that as a warning everything that follows is a SNOsoft.

People posting emails in public forums in an attempt to sell exploits is
not only careless and irresponsible,

It's called the free-market.

but is also a testament to that
persons immaturity and lack of experience.

What you think that when you add the variables up that the only potential
answer is the what you've come up with? Employing the free-market is not a
testament to anything, much less a persons level of maturity or

Do they ever stop to think
about the potential liability? What happens if they sell to a hostile
foreign party, what could happen to them, etc...?

Sure of course, you don't sell 0day to the organizations that the enemy of
your country, thats common sense- however you put a breach of contract
provision into your agreement that disallows transfer of content to third
parties and then dont sell them to people from guangdong, its not
stupidity, immaturity or lack of experience, its called due dilligence.

I think that there is a legitimate market for Exploit Brokering when it
is done properly (ethically and legally).

I wish you people would stop putting your opinions on ethics to other
people. I mean even business ethics does not follow the whats commonly
associated with being ethical, thats why there is a special class for it
in college and largely amounts to the questions 'is it legal?' and 'can i
get away with it?'.

In reality all your bantering about ethics and legality will result in is
that bug information and exploits become subject to restricted export/sale
legislation and then we'll be stuck with companies like yours.

I mean seriously, has it not occurred to you that not everyone in the
world is American and wants to sell their 0day to the NSA via SNOSoft?
That perhaps the conjecture that they want to do that is against their
morals and in turn does that not make you obtuse for expecting they abide
by your own personal set of ethics?

I think

I don't care what you think, don't try to enforce your set of morals on
me; im sure plenty of others agree with this sentiment.

The solution to that problem is not to sell exploits to just anyone in a
public forum. That introduces too much liability to the developer,
especially if the buyer is illegitimate or hostile. The solution is to
work with legitimate established businesses in a confidential and
responsible manner.

Not the solution is not to be stupid with your sales, you can meet people
in public forums, just be able to show due dilligence that the parties you
sold to are not enemies of your country and that their intentions are not
to violate the law. Guns don't kill people, ...

By responsible, you mean doing it the way you do?

Its just a matter of time till
laws get passed and they end up getting thrown in jail for selling
weaponized exploits to the wrong people.

Which is exactly what you want. Look almost everything is legal somewhere,
that means you can't stop people who wish to conduct private business.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]