Robert Lemos, SecurityFocus 2007-06-01
Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information.
Colapse all |
Post comment
Zero-day sales not "fair" -- to researchers
2007-06-03
Anonymous (1 replies)
Anonymous (1 replies)
Someone should remind this greedy jerkwad that if every vulnerability found over the last 15 years of the internet resulted in negotiations, contracts, and payouts, we would still be working with 1995 technology.
What a pud. Not much better than a spam king IMHO. ...
[ more ] [ reply ]
What a pud. Not much better than a spam king IMHO. ...
[ more ] [ reply ]
Re: Zero-day sales not "fair" -- to researchers
2007-11-01
Mr. Clean
Mr. Clean
Well, fortunately for us, theres people out there who are kind enough to release them. Also, the vulnerability he found was an extremely big vulnerability. It was in linux, an OS that the government uses on some of their servers! For instance, your not going to get $50,000 for a php-nuke SQL Injecti...
[ more ] [ reply ]
[ more ] [ reply ]
Zero-day sales not "fair" -- to researchers
2007-06-03
Anonymous (1 replies)
Anonymous (1 replies)
Charlie Miller = CISSP
The ISC2 code of ethics states: "Act honorably, honestly, justly, responsibly, and legally. Promote and preserve public trust and confidence in information and systems. Preserve and strengthen the integrity of the public infrastructure."
(ISC)² members who intentionally...
[ more ] [ reply ]
The ISC2 code of ethics states: "Act honorably, honestly, justly, responsibly, and legally. Promote and preserve public trust and confidence in information and systems. Preserve and strengthen the integrity of the public infrastructure."
(ISC)² members who intentionally...
[ more ] [ reply ]
Zero-day sales not "fair" -- to researchers
2007-06-04
KF (1 replies)
KF (1 replies)
Re: Zero-day sales not "fair" -- to researchers
2007-06-05
Anonymous
Anonymous
He can shop his exploit on many of the "underground" security boards, however it's very unlikely he will get someone trying to send him stolen money. Your other option is real world criminals who have moved online like the alleged mob influences on computer security. I don't know personally if Russi...
[ more ] [ reply ]
[ more ] [ reply ]
Cry me a river Mr Miller
2007-06-04
Anonymous
Anonymous
As far as I am concerned, iDefence and 3Com are now part of the problem rather than part of the solution. Bug bounties place a commercial incentive on exploit development with out any reliable assurances at all towards the common good.
As far as Mr. Miller's concern that government participation ...
[ more ] [ reply ]
As far as Mr. Miller's concern that government participation ...
[ more ] [ reply ]
Zero-day sales not "fair" -- to researchers
2007-06-04
Anonymous42
Anonymous42
To those that would remove his CISSP:
Do you think government researchers who develop 0-day exploits for national defense purposes should also have their CISSP credentials removed? If not, what is the distinction between a private individual selling it to the government, and the government findi...
[ more ] [ reply ]
Do you think government researchers who develop 0-day exploits for national defense purposes should also have their CISSP credentials removed? If not, what is the distinction between a private individual selling it to the government, and the government findi...
[ more ] [ reply ]
Zero-day sales not "fair" -- to researchers
2007-06-04
GDFuego
GDFuego
This isn't an issue of "fair" versus "unfair". It is a reality of any sale.
Next year I'll be trying to sell my house. How much is it worth? Well, its worth however much someone is willing to pay for it. If I put it on sale too high, I'll turn off potential buyers. If I put the price too l...
[ more ] [ reply ]
Next year I'll be trying to sell my house. How much is it worth? Well, its worth however much someone is willing to pay for it. If I put it on sale too high, I'll turn off potential buyers. If I put the price too l...
[ more ] [ reply ]
Zero-day sales not "fair" -- to researchers
2007-06-05
Anonymous
Anonymous
Wow, jealous whiners much? If I could find a juicy exploit and sell it (non-black market) to support myself and my family I would do it in a heart beat. We live in a capitalistic society where it costs money to live and you earn money for your hard-earned skills. These aren't teenager script kidd...
[ more ] [ reply ]
[ more ] [ reply ]
Zero-day sales not "fair" -- to researchers
2007-06-07
Chris (1 replies)
Chris (1 replies)
I read Miller's paper.
I have no idea why it is news (to a workshop with economists in it!) that thin markets do a poor job of matching buyers and sellers.
...
[ more ] [ reply ]
I have no idea why it is news (to a workshop with economists in it!) that thin markets do a poor job of matching buyers and sellers.
...
[ more ] [ reply ]
Zero-day sales not "fair" -- to researchers
2007-06-13
Anonymous (1 replies)
Anonymous (1 replies)
Its great that people are cluey enought to find these vulnerabilities but I have great difficulties it them selling the information for profit. I can accept that time is money and maybe there is a case for payment but it is my belief that it is strongly unethical to sell it .
The first approach m...
[ more ] [ reply ]
The first approach m...
[ more ] [ reply ]
Re: Zero-day sales not "fair" -- to researchers
2009-03-19
Anonymous
Anonymous
I agree with the above. However, Microsoft clearly does not care much about the security of their product. How many stories have you heard about researchers letting them know - for FREE - that they have a flaw, and it goes unpatched for months on months? It even happens in this article!
Researche...
[ more ] [ reply ]
Researche...
[ more ] [ reply ]
You spent 45 minutes fuzzing Powerpoint and you get 80.000 usd?
UnFair is a Bolivian Farmer working from from sunrisa to sunset on a farm for 35 usd a month....
[ more ] [ reply ]