- Come to our conference - profit... buy our ticket, get a macbook prize.
- Hacking challenge prize - profit... they give you $5000 and sell it
to the vendor for a lot more.
ZDI provides the money for this. and they don't sell it back to vendor
- Train to use our software -profit... over priced training for
software... not interested.
dont' get angry at remote-exploit because they are making money from their
work . how much money do you make from posting to fd?
On the issue of how much a vulnerability is worth, the prices are not
regulated, we need regulation into how much a vulnerability costs,
because the prices right now are wild. We need to take vulnerability
pricing off the blackmarket and onto a legitimate central website for
selling vulnerabilities, or cash rewards for disclosing a
vulnerability to a particular company or organisation.
wabisabilabi? zdi... etc.
Can someone post to full-disclosure a price list of what they think a
bufferoverflow should be worth etc, and we can vote if we agree.
feel free to take that as a todo item. however, i would think it would
depend on the bo.
We can't dress up cash prizes/contests as something else as well, if a
website is offering a $5,000 reward for a vulnerability, we need to
know if we're being ripped off with the cash reward and how much can
be potentially made after its sold on.
zdi doesn't sell their exploits afaik.
Robert Lemos even http://www.securityfocus.com/news/11510 talked about
vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
reward might not be enough money, compared to what a vulnerability
*should* be worth, and taking into consideration how much profit
CanSecWest make overall from people attending the conference.
the pwn2own cash is supplied by zdi. that's what you arent' realizing.
So you take into consideration how much a vulnerability should be
worth, then the added worth because its a security conference of how
much should be added on to counter the profit being made by the event.
you already said this. twice.
However, to round off, we can't allow the mailing lists to turn into a
vulnerability market place, full-disclosure should be for free stuff,
and other websites and mailing lists can be setup for *money making
schemes and auctions*.
there are. however how are the people going to know about the websites if
you don't allow people to 'spam' lists with this sort of thing, mr
We shouldn't allow the money makers directly to market X... if a link
is put on Full-Disclosure by a member of the public on the fly then
thats ok, but I think its cheeky for the particular conference,
contest runner or software trainer to be on the list themselves
spamming everyone, for a profiteering agenda.
that's why its called free enterprise, it's an unmoderated list. feel free
to unsubscribe if you dont like it much..
You mention cross-posting, thats not the issue here, its the people
making the money posting to make the money that offends me so much.
we know, its the third time youve said it in one email.
And not even the lonely hacker offends me who posts i've got a
vulnerability for sale for X, I don't mind that on Full-Disclosure,
but what I do mind is if its a company or organisation doing it that
is directly the ones making the money via vulnerability for sale,
prize contest, security conference or train to use our software!!!,
thats the height of spam I just think is utterly wrong and unethical
on any scale of acceptability.
again, free market, and you are directly talking about zdi.
If a lonley hacker who works in a supermarket has a vulnerabilty to
sell i'm all for it being post on full-disclosure, but not the big
money conferences, prize hacking contests and software training guys.
I come under the bracket as supermarket worker with nothing much going
for me in life, so I should be allowed to sell a vulnerability on
what's ment to be a mailing list for non-profit disclosure.
you work at a supermarket? so you know about the under cash drawer switch
that pops open the drawer exploit?
You will find it easy to shout me down and say n3td3v's an idiot, but
wait to the vulnerability market really takes off and the prices of
vulnerabilities are properly defined and regulated, you're going to
see a huge increase in commercial spam on the mailing lists, like the
full-disclosure mailing list. so we've got to define what's fair play
e-mail and what's a company or organisation blatantly profiteering
with X method of extracting money out of people and using skilled
hackers to make money, and to promote a security conference, training
again, unmoderated list. the door is over there.