| |||||||||||||
Linux 2.6.30 exploit postedLinux 2.6.30 exploit postedPosted Jul 18, 2009 17:46 UTC (Sat) by spender (subscriber, #23067)In reply to: Linux 2.6.30 exploit posted by nix Parent article: Linux 2.6.30 exploit posted
Indeed. Also, in case you weren't aware, the 'shady' purchasers (organized crime) of exploits pay out a lot more than the legitimate purchasers.
Also, while some legitimate purchasers do notify the vendor of the vulnerability, others do not. Customers of that legitimate purchaser get a copies of fully-working exploits (not PoCs) for vulnerabilities that are unfixed.
Keep that in mind.
-Brad
(Log in to post comments)
Then this vulnerability was only published because it was "spoiled goods"? Posted Jul 20, 2009 5:38 UTC (Mon) by khim (subscriber, #9252) [Link] Customers of that legitimate purchaser get a copies of fully- working exploits (not PoCs) for vulnerabilities that are unfixed. Does it mean that vulnerabilities like discussed one are only ever disclosed when they can not be sold? This time fix was introduced before the exploit (sure it was not included in -stable relase, but it was in git-head already), so it was impossible to sell it to "legitimate purchaser"?
Then this vulnerability was only published because it was "spoiled goods"? Posted Jul 20, 2009 11:20 UTC (Mon) by nix (subscriber, #2304) [Link]
Well, since he just said elsewhere in this thread that's he's going to start selling RH vulnerabilities, one must assume the answer, this time, was no, but in future will be yes.
Linux 2.6.30 exploit posted Posted Jul 20, 2009 20:42 UTC (Mon) by SEJeff (subscriber, #51588) [Link]
So where does 3Com's ZDI (Zero-Day Initiative) lay? On the good or bad side?
|
|||||||||||||