This is apparenty what happened with Serge Humpich, France's famous engineer (At least in France :-), a true hacker (in the original meaning of the word). He was passionate about the French credid card system and how it worked, and spent four years studying the system and even bought one teller machine (legally). In the end he had spend a few hundred thousand dollars on equipment and countless hours studying the system. And then he managed to brake the private key of the banks .. He went to the banks and proposed to sell them the information both of how to break and repair the system. The banks didn't belive his story at first and demanded proof.. So he bought a few metro tickets from a vending machine and went back with the slip from the vending machine and the metro tickets. Then the banks went ballistic and started threatening him with legal actions and god knows what ... Word got out about what was heppening and a lot of people became *very* interested .. Apparently, somebody managed to repeat the factorization and that somebody then posted the parts to the Internet. The "Yescard" was born. ... Six years later and the Yescards still exist, less of a problem, yes, but still a problem ... Personally I don't see any difference in offering you information about how someone can break into your house and how you can fix that, or a CD with my song on it, both require special knowledge to make and either you accept the buy or not .... It's like a freelance reporter who discovers a story, but instead of seling it to everybody, you only offer it to one company.. -----Original Message----- From: Talley, Brooks [mailto:brooks@frnk.com] Sent: 16 July, 2003 11:02 PM To: bugtraq@securityfocus.com Subject: Disclosure-for-pay? My company recently received a communication from someone purporting to know of a security vulnerability in our web application. The individual stated that they would sign an NDA and report the details of the vulnerability to us if we paid his "consulting fee" and provided future services to him at no cost. Am I crazy here, or does this sound not good in several different ways? Is that kind of demand for payment for reporting a vulnerability at all the norm? I'd love any advice here. Thanks -Brooks
