Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Simon Smith (simonsnosoft.com)
Date: Fri Nov 09 2007 - 14:54:03 CST
Please forgive me... should I beg for mercy?
Joey Mengele wrote:
> This is hardly on topic and you do not have any unique credentials
> to validate your claims. Please refrain from writing off topic and
> baseless editorials in the future or risk moderation. Thanks.
> On Fri, 09 Nov 2007 15:22:01 -0500 Simon Smith <simonsnosoft.com>
>> [ This email is in response to all of the emails that I see with
>> trying to broker exploits by advertising them on full disclosure
>> other public mailing lists. ]
>> SNOsoft has been legitimately and legally brokering exploits since
>> 2000, and we're still doing it very successfully. As a matter of
>> we will not ever purchase items from careless developers, and will
>> sell to careless buyers or non US based buyers... With exploit
>> comes great responsibility and liability.
>> People posting emails in public forums in an attempt to sell
>> exploits is
>> not only careless and irresponsible, but is also a testament to
>> persons immaturity and lack of experience. Do they ever stop to
>> about the potential liability? What happens if they sell to a
>> foreign party, what could happen to them, etc...?
>> I think that there is a legitimate market for Exploit Brokering
>> when it
>> is done properly (ethically and legally). I think that in that
>> the developers should adhere to strict rules and not cross certain
>> boundaries. I also think that the responsible and ethical
>> should be paid fair value for their time, instead of a pathetic
>> of $5,000.00 for a high grade item. Think about it, the average QA
>> Engineer makes more money per bug than the higher talent security
>> researcher. There's something wrong with that.
>> The solution to that problem is not to sell exploits to just
>> anyone in a
>> public forum. That introduces too much liability to the developer,
>> especially if the buyer is illegitimate or hostile. The solution
>> is to
>> work with legitimate established businesses in a confidential and
>> responsible manner.
>> Unfortunately for those developers that are trying to sell
>> exploits in
>> public forum, their chances of working with legitimate businesses
>> gone. No way will any of the legitimate Exploit Brokers ever
>> purchase an
>> item from an irresponsible developer. Its just a matter of time
>> laws get passed and they end up getting thrown in jail for selling
>> weaponized exploits to the wrong people.
>> - simon
> Click for free info on marketing degrees and make up to $150K/ year
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/