|
|
|
Choosing A Webhost: |
RE: Disclosure-for-pay?: msg#00303security.bugtraq
NOTE: that the individual is not saying "Pay me or I'll tell everyone about it". He's just saying "Pay me or I WON'T tell you about it". There is a subtle but critical difference. Your example is incorrect from that standpoint. Personally I don't think it is very good business, but it is not as damning as many people are screaming about. In fact, the most unethical part is the "provide future services at no cost". -----Original Message----- From: Jay D. Dyson [mailto:jdyson@xxxxxxxxxxxxx] Sent: Wednesday, July 16, 2003 6:22 PM To: Bugtraq Subject: Re: Disclosure-for-pay? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 16 Jul 2003, Talley, Brooks wrote: > My company recently received a communication from someone purporting > to know of a security vulnerability in our web application. The > individual stated that they would sign an NDA and report the details > of the vulnerability to us if we paid his "consulting fee" and > provided future services to him at no cost. Call me unruly, but that sounds like extortion to me. Indeed, it's all too akin to someone knocking on your door and claiming they've found a way to steal your car...but if you'll give them free rides around town, they'll keep it quiet. > Is that kind of demand for payment for reporting a vulnerability at > all the norm? No, this is _not_ the norm. If anything, it's unethical. In some circles, it's considered illegal. There have been a few people who've been pinched by law enforcement for such "offers." Bottom line: you didn't hire this individual to audit your applications, so he's out of line asking for compensation. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@xxxxxxxxxxxxx -----<) | = |-' `--' `--' `Red meat isn't bad for you, fuzzy green meat is.' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun y0c2+VQ9klvbfd5yMs90nvA= =pJOm -----END PGP SIGNATURE-----
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Drupal XSS Vulnerability (main page and sub pages), Ferruh Mavituna |
|---|---|
| Next by Date: | [RHSA-2003:162-02] Updated Mozilla packages fix security vulnerability., bugzilla |
| Previous by Thread: | Re: Disclosure-for-pay?, Josh Daymont |
| Next by Thread: | RE: Disclosure-for-pay?, Rikhardur . EGILSSON |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |
