RE: Disclosure-for-pay?

From: Rikhardur.EGILSSONat_private
Date: Tue Jul 22 2003 - 07:09:02 PDT

Next message: Conectiva Updates: "[CLA-2003:701] Conectiva Security Announcement - kernel"

Previous message: Lincoln Stein: "Re: CGI.pm vulnerable to Cross-site Scripting"
Maybe in reply to: Talley, Brooks: "Disclosure-for-pay?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is apparenty what happened with Serge Humpich, France's famous engineer
(At least in France :-), a true hacker (in the original meaning of the
word).  He was passionate about the French credid card system and how it
worked, and spent four years studying the system and even bought one teller
machine (legally).

In the end he had spend a few hundred thousand dollars on equipment and
countless hours studying the system.    And then he managed to brake the
private key of the banks ..

He went to the banks and proposed to sell them the information both of how
to break and repair the system.

The banks didn't belive his story at first and demanded proof..  So he
bought a few metro tickets from a vending machine and went back with the
slip from the vending machine and the metro tickets.

Then the banks went ballistic and started threatening him with legal actions
and god knows what ...

Word got out about what was heppening and a lot of people became *very*
interested ..

Apparently, somebody managed to repeat the factorization and that somebody
then posted the parts to the Internet.

The "Yescard" was born.


...

Six years later and the Yescards still exist, less of a problem, yes, but
still a problem ...

Personally I don't see any difference in offering you information about how
someone can break into your house and how you can fix that, or a CD with my
song on it, both require special knowledge to make and either you accept the
buy or not ....

It's like a freelance reporter who discovers a story, but instead of seling
it to everybody, you only offer it to one company..





-----Original Message-----
From: Talley, Brooks [mailto:brooksat_private] 
Sent: 16 July, 2003 11:02 PM
To: bugtraqat_private
Subject: Disclosure-for-pay?


My company recently received a communication from someone purporting to know
of a security vulnerability in our web application. The individual stated
that they would sign an NDA and report the details of the vulnerability to
us if we paid his "consulting fee" and provided future services to him at no
cost.

Am I crazy here, or does this sound not good in several different ways?

Is that kind of demand for payment for reporting a vulnerability at all the
norm?

I'd love any advice here.

Thanks
-Brooks

Next message: Conectiva Updates: "[CLA-2003:701] Conectiva Security Announcement - kernel"
Previous message: Lincoln Stein: "Re: CGI.pm vulnerable to Cross-site Scripting"
Maybe in reply to: Talley, Brooks: "Disclosure-for-pay?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 10:59:34 PDT