Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Exploit Brokering
From: "Joey Mengele" <joey.mengele () hushmail com>
Date: Fri, 09 Nov 2007 15:28:34 -0500

This is hardly on topic and you do not have any unique credentials 
to validate your claims. Please refrain from writing off topic and 
baseless editorials in the future or risk moderation. Thanks.

J

On Fri, 09 Nov 2007 15:22:01 -0500 Simon Smith <simon () snosoft com> 
wrote:
[ This email is in response to all of the emails that I see with 
people
trying to broker exploits by advertising them on full disclosure 
and
other public mailing lists. ]

SNOsoft has been legitimately and legally brokering exploits since 
early
2000, and we're still doing it very successfully. As a matter of 
policy
we will not ever purchase items from careless developers, and will 
not
sell to careless buyers or non US based buyers... With exploit 
brokering
comes great responsibility and liability.

People posting emails in public forums in an attempt to sell 
exploits is
not only careless and irresponsible, but is also a testament to 
that
persons immaturity and lack of experience. Do they ever stop to 
think
about the potential liability? What happens if they sell to a 
hostile
foreign party, what could happen to them, etc...?

I think that there is a legitimate market for Exploit Brokering 
when it
is done properly (ethically and legally). I think that in that 
market
the developers should adhere to strict rules and not cross certain
boundaries. I also think that the responsible and ethical 
developers
should be paid fair value for their time, instead of a pathetic 
maximum
of $5,000.00 for a high grade item. Think about it, the average QA
Engineer makes more money per bug than the higher talent security
researcher. There's something wrong with that.

The solution to that problem is not to sell exploits to just 
anyone in a
public forum. That introduces too much liability to the developer,
especially if the buyer is illegitimate or hostile. The solution 
is to
work with legitimate established businesses in a confidential and
responsible manner.

Unfortunately for those developers that are trying to sell 
exploits in
public forum, their chances of working with legitimate businesses 
are
gone. No way will any of the legitimate Exploit Brokers ever 
purchase an
item from an irresponsible developer. Its just a matter of time 
till
laws get passed and they end up getting thrown in jail for selling
weaponized exploits to the wrong people.

--

- simon

----------------------
http://www.snosoft.com

--
Click to find moving companies, movers, van lines,  and auto transport services. Low prices.
http://tagline.hushmail.com/fc/Ioyw6h4epKaveFJJVmjBsU28T2AQSuvoJt5Pl48nl1r8rDmwbNOLPK/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault