RE: Disclosure-for-pay?

From: Martin Walker (martin.walkerat_private)
Date: Mon Jul 21 2003 - 06:49:58 PDT

Next message: Martin Kluge: "Cisco IOS exploit (44020)"

Previous message: Ferruh Mavituna: "Drupal XSS Vulnerability (main page and sub pages)"
Maybe in reply to: Talley, Brooks: "Disclosure-for-pay?"
Next in thread: Rikhardur.EGILSSONat_private: "RE: Disclosure-for-pay?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NOTE: that the individual is not saying "Pay me or I'll tell everyone
about it".  He's just saying "Pay me or I WON'T tell you about it".
There is a subtle but critical difference.  Your example is incorrect
from that standpoint.

Personally I don't think it is very good business, but it is not as
damning as many people are screaming about.  In fact, the most unethical
part is the "provide future services at no cost".

-----Original Message-----
From: Jay D. Dyson [mailto:jdysonat_private] 
Sent: Wednesday, July 16, 2003 6:22 PM
To: Bugtraq
Subject: Re: Disclosure-for-pay?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 16 Jul 2003, Talley, Brooks wrote:

> My company recently received a communication from someone purporting 
> to know of a security vulnerability in our web application. The 
> individual stated that they would sign an NDA and report the details 
> of the vulnerability to us if we paid his "consulting fee" and 
> provided future services to him at no cost.

	Call me unruly, but that sounds like extortion to me.  Indeed,
it's all too akin to someone knocking on your door and claiming they've
found a way to steal your car...but if you'll give them free rides
around town, they'll keep it quiet.

> Is that kind of demand for payment for reporting a vulnerability at 
> all the norm?

	No, this is _not_ the norm.  If anything, it's unethical.  In
some circles, it's considered illegal.  There have been a few people
who've been pinched by law enforcement for such "offers."

	Bottom line: you didn't hire this individual to audit your
applications, so he's out of line asking for compensation.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.
>====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) |    =
|-'
  `--' `--'  `Red meat isn't bad for you, fuzzy green meat is.'
`------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun
y0c2+VQ9klvbfd5yMs90nvA=
=pJOm
-----END PGP SIGNATURE-----

Next message: Martin Kluge: "Cisco IOS exploit (44020)"
Previous message: Ferruh Mavituna: "Drupal XSS Vulnerability (main page and sub pages)"
Maybe in reply to: Talley, Brooks: "Disclosure-for-pay?"
Next in thread: Rikhardur.EGILSSONat_private: "RE: Disclosure-for-pay?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 21 2003 - 09:43:58 PDT