NOTE: that the individual is not saying "Pay me or I'll tell everyone
about it". He's just saying "Pay me or I WON'T tell you about it".
There is a subtle but critical difference. Your example is incorrect
from that standpoint.
Personally I don't think it is very good business, but it is not as
damning as many people are screaming about. In fact, the most unethical
part is the "provide future services at no cost".
-----Original Message-----
From: Jay D. Dyson [mailto:jdyson (at) treachery (dot) net [email concealed]]
Sent: Wednesday, July 16, 2003 6:22 PM
To: Bugtraq
Subject: Re: Disclosure-for-pay?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 16 Jul 2003, Talley, Brooks wrote:
> My company recently received a communication from someone purporting
> to know of a security vulnerability in our web application. The
> individual stated that they would sign an NDA and report the details
> of the vulnerability to us if we paid his "consulting fee" and
> provided future services to him at no cost.
Call me unruly, but that sounds like extortion to me. Indeed,
it's all too akin to someone knocking on your door and claiming they've
found a way to steal your car...but if you'll give them free rides
around town, they'll keep it quiet.
> Is that kind of demand for payment for reporting a vulnerability at
> all the norm?
No, this is _not_ the norm. If anything, it's unethical. In
some circles, it's considered illegal. There have been a few people
who've been pinched by law enforcement for such "offers."
Bottom line: you didn't hire this individual to audit your
applications, so he's out of line asking for compensation.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-.
>====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson (at) treachery (dot) net [email concealed] -----<) | =
|-'
`--' `--' `Red meat isn't bad for you, fuzzy green meat is.'
`------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
about it". He's just saying "Pay me or I WON'T tell you about it".
There is a subtle but critical difference. Your example is incorrect
from that standpoint.
Personally I don't think it is very good business, but it is not as
damning as many people are screaming about. In fact, the most unethical
part is the "provide future services at no cost".
-----Original Message-----
From: Jay D. Dyson [mailto:jdyson (at) treachery (dot) net [email concealed]]
Sent: Wednesday, July 16, 2003 6:22 PM
To: Bugtraq
Subject: Re: Disclosure-for-pay?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 16 Jul 2003, Talley, Brooks wrote:
> My company recently received a communication from someone purporting
> to know of a security vulnerability in our web application. The
> individual stated that they would sign an NDA and report the details
> of the vulnerability to us if we paid his "consulting fee" and
> provided future services to him at no cost.
Call me unruly, but that sounds like extortion to me. Indeed,
it's all too akin to someone knocking on your door and claiming they've
found a way to steal your car...but if you'll give them free rides
around town, they'll keep it quiet.
> Is that kind of demand for payment for reporting a vulnerability at
> all the norm?
No, this is _not_ the norm. If anything, it's unethical. In
some circles, it's considered illegal. There have been a few people
who've been pinched by law enforcement for such "offers."
Bottom line: you didn't hire this individual to audit your
applications, so he's out of line asking for compensation.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee"-.
>====<--.
C|~~|C|~~| (>----- Jay D. Dyson -- jdyson (at) treachery (dot) net [email concealed] -----<) | =
|-'
`--' `--' `Red meat isn't bad for you, fuzzy green meat is.'
`------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun
y0c2+VQ9klvbfd5yMs90nvA=
=pJOm
-----END PGP SIGNATURE-----
[ reply ]