As far as the "moral/immoral" issue goes I don't think there's an easy answer to that one. Is it immoral to get paid for your effort? I don't think so. On the other hand I don't think I'd be really proud of myself if I sold a bug to someone and they turned around and released a worm that exploited it. I think it depends on who you're selling to and why you're doing it. That having been said I should say that I've never charged anyone for any bugs I've found. Maybe I'm just old school.
Jared DeMott wrote: > All: > > So, I've tried the vendor pay model for bug hunting and it wasn't always > well received. Apparently auction sites and 3 party purchasers are > fine, but some folks don't like the idea of selling directly to the > vendor. I was thinking that this would be ideal since the vendor would > have the most interest in knowing about/fixing the bug. My question to > the list is this: > Is it morally right, wrong, don't know, don't care, good business, bad > business, etc.? Either way we're moving away from that model, but I was > just curious how others on FD see it. > > Blessings, > Jared > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
