see:<div><span class="Apple-style-span" style="border-collapse: collapse; "><br>> - Come to our conference - profit... buy our ticket, get a macbook prize.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse; "><br>
> - Hacking challenge prize - profit... they give you $5000 and sell it<br>> to the vendor for a lot more.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">ZDI provides the money for this. and they don't sell it back to vendor<br>
<br>> - Train to use our software -profit... over priced training for<br>> software... not interested.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">dont' get angry at remote-exploit because they are making money from their work . how much money do you make from posting to fd?<br>
<br>> On the issue of how much a vulnerability is worth, the prices are not<br>> regulated, we need regulation into how much a vulnerability costs,<br>> because the prices right now are wild. We need to take vulnerability<br>
> pricing off the blackmarket and onto a legitimate central website for<br>> selling vulnerabilities, or cash rewards for disclosing a<br>> vulnerability to a particular company or organisation. </span></div><div>
<span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse;">wabisabilabi? zdi... etc.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse; "><br>
> Can someone post to full-disclosure a price list of what they think a<br>> bufferoverflow should be worth etc, and we can vote if we agree.<br><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse;">feel free to take that as a todo item. however, i would think it would depend on the bo.</span></div>
<div><span class="Apple-style-span" style="border-collapse: collapse; "><br>> We can't dress up cash prizes/contests as something else as well, if a<br>> website is offering a $5,000 reward for a vulnerability, we need to<br>
> know if we're being ripped off with the cash reward and how much can<br>> be potentially made after its sold on.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div>
<div><span class="Apple-style-span" style="border-collapse: collapse; ">zdi doesn't sell their exploits afaik.<br><br>> Robert Lemos even <a href="http://www.securityfocus.com/news/11510" target="_blank" style="color: rgb(0, 0, 204); ">http://www.securityfocus.com/news/11510</a> talked about<br>
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash<br>> reward might not be enough money, compared to what a vulnerability<br>> *should* be worth, and taking into consideration how much profit<br>
> CanSecWest make overall from people attending the conference.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">the pwn2own cash is supplied by zdi. that's what you arent' realizing.<br>
<br>> So you take into consideration how much a vulnerability should be<br>> worth, then the added worth because its a security conference of how<br>> much should be added on to counter the profit being made by the event.</span></div>
<div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">you already said this. twice.<br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; "><br>
> However, to round off, we can't allow the mailing lists to turn into a<br>> vulnerability market place, full-disclosure should be for free stuff,<br>> and other websites and mailing lists can be setup for *money making<br>
> schemes and auctions*.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">there are. however how are the people going to know about the websites if you don't allow people to 'spam' lists with this sort of thing, mr unofficial-fd moderator?<br>
<br>> We shouldn't allow the money makers directly to market X... if a link<br>> is put on Full-Disclosure by a member of the public on the fly then<br>> thats ok, but I think its cheeky for the particular conference,<br>
> contest runner or software trainer to be on the list themselves<br>> spamming everyone, for a profiteering agenda.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div>
<div><span class="Apple-style-span" style="border-collapse: collapse; ">that's why its called free enterprise, it's an unmoderated list. feel free to unsubscribe if you dont like it much..<br><br>> You mention cross-posting, thats not the issue here, its the people<br>
> making the money posting to make the money that offends me so much.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">we know, its the third time youve said it in one email.<br>
<br>> And not even the lonely hacker offends me who posts i've got a<br>> vulnerability for sale for X, I don't mind that on Full-Disclosure,<br>> but what I do mind is if its a company or organisation doing it that<br>
> is directly the ones making the money via vulnerability for sale,<br>> prize contest, security conference or train to use our software!!!,<br>> thats the height of spam I just think is utterly wrong and unethical<br>
> on any scale of acceptability.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">again, free market, and you are directly talking about zdi.<br>
<br>> If a lonley hacker who works in a supermarket has a vulnerabilty to<br>> sell i'm all for it being post on full-disclosure, but not the big<br>> money conferences, prize hacking contests and software training guys.</span></div>
<div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">fourth time.<br><br>> I come under the bracket as supermarket worker with nothing much going<br>
> for me in life, so I should be allowed to sell a vulnerability on<br>> what's ment to be a mailing list for non-profit disclosure.</span></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br>
</span></div><div><span class="Apple-style-span" style="border-collapse: collapse; ">you work at a supermarket? so you know about the under cash drawer switch that pops open the drawer exploit?<br><br><br>> You will find it easy to shout me down and say n3td3v's an idiot, but<br>
> wait to the vulnerability market really takes off and the prices of<br>> vulnerabilities are properly defined and regulated, you're going to<br>> see a huge increase in commercial spam on the mailing lists, like the<br>
> full-disclosure mailing list. so we've got to define what's fair play<br>> e-mail and what's a company or organisation blatantly profiteering<br>> with X method of extracting money out of people and using skilled<br>
> hackers to make money, and to promote a security conference, training<br>> etc.</span><br></div><div><span class="Apple-style-span" style="border-collapse: collapse;"><br></span></div><div><span class="Apple-style-span" style="border-collapse: collapse;">again, unmoderated list. the door is over there.</span></div>