-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 16 Jul 2003, Talley, Brooks wrote: > My company recently received a communication from someone purporting to > know of a security vulnerability in our web application. The individual > stated that they would sign an NDA and report the details of the > vulnerability to us if we paid his "consulting fee" and provided future > services to him at no cost. Call me unruly, but that sounds like extortion to me. Indeed, it's all too akin to someone knocking on your door and claiming they've found a way to steal your car...but if you'll give them free rides around town, they'll keep it quiet. > Is that kind of demand for payment for reporting a vulnerability at all > the norm? No, this is _not_ the norm. If anything, it's unethical. In some circles, it's considered illegal. There have been a few people who've been pinched by law enforcement for such "offers." Bottom line: you didn't hire this individual to audit your applications, so he's out of line asking for compensation. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-' `--' `--' `Red meat isn't bad for you, fuzzy green meat is.' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE/FdAcNlg1oZSC9mkRApDZAJ9+HllVA5MHP/3kaOg9n7aXe2CQPgCePlun y0c2+VQ9klvbfd5yMs90nvA= =pJOm -----END PGP SIGNATURE-----
