FX wrote: > I leave the ethical aspects of this request by ISS for the consideration > of the inclined reader. They have to collect exploits to write shell code for their IDS products, otherwise they can't create signatures. I recall a similar request and it included this piece of information. Of course, this doesn't make this activity less questionable. You normally don't see it because usually, ISS and others can obtain exploits quietly through "responsible disclosure", especially if ISS serves as a coordinator or is somehow involved (via IT-ISAC, for example).