see: > - Come to our conference - profit... buy our ticket, get a macbook prize.
> - Hacking challenge prize - profit... they give you $5000 and sell it > to the vendor for a lot more. ZDI provides the money for this. and they don't sell it back to vendor > - Train to use our software -profit... over priced training for > software... not interested. dont' get angry at remote-exploit because they are making money from their work . how much money do you make from posting to fd? > On the issue of how much a vulnerability is worth, the prices are not > regulated, we need regulation into how much a vulnerability costs, > because the prices right now are wild. We need to take vulnerability > pricing off the blackmarket and onto a legitimate central website for > selling vulnerabilities, or cash rewards for disclosing a > vulnerability to a particular company or organisation. wabisabilabi? zdi... etc. > Can someone post to full-disclosure a price list of what they think a > bufferoverflow should be worth etc, and we can vote if we agree. feel free to take that as a todo item. however, i would think it would depend on the bo. > We can't dress up cash prizes/contests as something else as well, if a > website is offering a $5,000 reward for a vulnerability, we need to > know if we're being ripped off with the cash reward and how much can > be potentially made after its sold on. zdi doesn't sell their exploits afaik. > Robert Lemos even http://www.securityfocus.com/news/11510 talked about > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash > reward might not be enough money, compared to what a vulnerability > *should* be worth, and taking into consideration how much profit > CanSecWest make overall from people attending the conference. the pwn2own cash is supplied by zdi. that's what you arent' realizing. > So you take into consideration how much a vulnerability should be > worth, then the added worth because its a security conference of how > much should be added on to counter the profit being made by the event. you already said this. twice. > However, to round off, we can't allow the mailing lists to turn into a > vulnerability market place, full-disclosure should be for free stuff, > and other websites and mailing lists can be setup for *money making > schemes and auctions*. there are. however how are the people going to know about the websites if you don't allow people to 'spam' lists with this sort of thing, mr unofficial-fd moderator? > We shouldn't allow the money makers directly to market X... if a link > is put on Full-Disclosure by a member of the public on the fly then > thats ok, but I think its cheeky for the particular conference, > contest runner or software trainer to be on the list themselves > spamming everyone, for a profiteering agenda. that's why its called free enterprise, it's an unmoderated list. feel free to unsubscribe if you dont like it much.. > You mention cross-posting, thats not the issue here, its the people > making the money posting to make the money that offends me so much. we know, its the third time youve said it in one email. > And not even the lonely hacker offends me who posts i've got a > vulnerability for sale for X, I don't mind that on Full-Disclosure, > but what I do mind is if its a company or organisation doing it that > is directly the ones making the money via vulnerability for sale, > prize contest, security conference or train to use our software!!!, > thats the height of spam I just think is utterly wrong and unethical > on any scale of acceptability. again, free market, and you are directly talking about zdi. > If a lonley hacker who works in a supermarket has a vulnerabilty to > sell i'm all for it being post on full-disclosure, but not the big > money conferences, prize hacking contests and software training guys. fourth time. > I come under the bracket as supermarket worker with nothing much going > for me in life, so I should be allowed to sell a vulnerability on > what's ment to be a mailing list for non-profit disclosure. you work at a supermarket? so you know about the under cash drawer switch that pops open the drawer exploit? > You will find it easy to shout me down and say n3td3v's an idiot, but > wait to the vulnerability market really takes off and the prices of > vulnerabilities are properly defined and regulated, you're going to > see a huge increase in commercial spam on the mailing lists, like the > full-disclosure mailing list. so we've got to define what's fair play > e-mail and what's a company or organisation blatantly profiteering > with X method of extracting money out of people and using skilled > hackers to make money, and to promote a security conference, training > etc. again, unmoderated list. the door is over there.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
