i love how you like to make everything so confrontational. insecure much? i am no longer talking about this, you obviously didnt read my email, nor did you read michael cottinghams.
stop trolling. On Fri, Apr 4, 2008 at 6:11 PM, n3td3v <[EMAIL PROTECTED]> wrote: > > On Fri, Apr 4, 2008 at 9:34 PM, Ureleet <[EMAIL PROTECTED]> wrote: > > see: > > > > > - Come to our conference - profit... buy our ticket, get a macbook > prize. > > > > > - Hacking challenge prize - profit... they give you $5000 and sell it > > > to the vendor for a lot more. > > > > ZDI provides the money for this. and they don't sell it back to vendor > > > > > > > - Train to use our software -profit... over priced training for > > > software... not interested. > > > > dont' get angry at remote-exploit because they are making money from > their > > work . how much money do you make from posting to fd? > > > > > > > On the issue of how much a vulnerability is worth, the prices are not > > > regulated, we need regulation into how much a vulnerability costs, > > > because the prices right now are wild. We need to take vulnerability > > > pricing off the blackmarket and onto a legitimate central website for > > > selling vulnerabilities, or cash rewards for disclosing a > > > vulnerability to a particular company or organisation. > > > > wabisabilabi? zdi... etc. > > > > > Can someone post to full-disclosure a price list of what they think a > > > bufferoverflow should be worth etc, and we can vote if we agree. > > > > feel free to take that as a todo item. however, i would think it would > > depend on the bo. > > > > > We can't dress up cash prizes/contests as something else as well, if a > > > website is offering a $5,000 reward for a vulnerability, we need to > > > know if we're being ripped off with the cash reward and how much can > > > be potentially made after its sold on. > > > > zdi doesn't sell their exploits afaik. > > > > > > > Robert Lemos even http://www.securityfocus.com/news/11510 talked about > > > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash > > > reward might not be enough money, compared to what a vulnerability > > > *should* be worth, and taking into consideration how much profit > > > CanSecWest make overall from people attending the conference. > > > > the pwn2own cash is supplied by zdi. that's what you arent' realizing. > > > > > > > So you take into consideration how much a vulnerability should be > > > worth, then the added worth because its a security conference of how > > > much should be added on to counter the profit being made by the event. > > > > you already said this. twice. > > > > > > > However, to round off, we can't allow the mailing lists to turn into a > > > vulnerability market place, full-disclosure should be for free stuff, > > > and other websites and mailing lists can be setup for *money making > > > schemes and auctions*. > > > > there are. however how are the people going to know about the websites > if > > you don't allow people to 'spam' lists with this sort of thing, mr > > unofficial-fd moderator? > > > > > > > We shouldn't allow the money makers directly to market X... if a link > > > is put on Full-Disclosure by a member of the public on the fly then > > > thats ok, but I think its cheeky for the particular conference, > > > contest runner or software trainer to be on the list themselves > > > spamming everyone, for a profiteering agenda. > > > > that's why its called free enterprise, it's an unmoderated list. feel > free > > to unsubscribe if you dont like it much.. > > > > > > > You mention cross-posting, thats not the issue here, its the people > > > making the money posting to make the money that offends me so much. > > > > we know, its the third time youve said it in one email. > > > > > > > And not even the lonely hacker offends me who posts i've got a > > > vulnerability for sale for X, I don't mind that on Full-Disclosure, > > > but what I do mind is if its a company or organisation doing it that > > > is directly the ones making the money via vulnerability for sale, > > > prize contest, security conference or train to use our software!!!, > > > thats the height of spam I just think is utterly wrong and unethical > > > on any scale of acceptability. > > > > again, free market, and you are directly talking about zdi. > > > > > > > If a lonley hacker who works in a supermarket has a vulnerabilty to > > > sell i'm all for it being post on full-disclosure, but not the big > > > money conferences, prize hacking contests and software training guys. > > > > fourth time. > > > > > > > I come under the bracket as supermarket worker with nothing much going > > > for me in life, so I should be allowed to sell a vulnerability on > > > what's ment to be a mailing list for non-profit disclosure. > > > > you work at a supermarket? so you know about the under cash drawer > switch > > that pops open the drawer exploit? > > > > > > > > > You will find it easy to shout me down and say n3td3v's an idiot, but > > > wait to the vulnerability market really takes off and the prices of > > > vulnerabilities are properly defined and regulated, you're going to > > > see a huge increase in commercial spam on the mailing lists, like the > > > full-disclosure mailing list. so we've got to define what's fair play > > > e-mail and what's a company or organisation blatantly profiteering > > > with X method of extracting money out of people and using skilled > > > hackers to make money, and to promote a security conference, training > > > etc. > > > > again, unmoderated list. the door is over there. > > * i * * never * mentioned * ZDI * you * complete * jerk * off * > > * read * * the * * e-mail * properly * and * you * will * understand * > what * I * don't * like * > > Overview: > > FIRST > > I said let's have a debate about how much a vulnerability is worth per > vulnerability type, so everyone knows if we're being ripped off by joe > jobs and to stop any blackmarkets, prices needs to be defined and > regulated, so everyone knows where they stand in the security > community as far as prices are concerned. > > ^^^^You bypassed this completely. > > SECOND > > Those on the list who don't disclose a vulnerability *but* are trying > to sell a product should be outlawed. > > ^^^^do you know the difference between disclosure and profiteering? > > You're losing my rag and the lack of intellectual debate on this from > non-retards is shocking, these are two serious topics that need > debating and all i've got is some lamer called "Ureleet" trying to > wind me up. > > Is anyone who can have a serious debate on this list? > > n3td3v >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
