Simon Smith wrote: > Blue Boar, > Simply put, and with all due respect, you're wrong. About? I see basically two assertions in my note; 1) that I would sell to iDefense or TippingPoint. Surely you're not going to tell me what I would do? And 2) That iDefense isn't doing the same thing that Blackhats are. Is the latter one the one you disagree with? > Furthermore I don't > appreciate you directly or indirectly suggesting that these exploits are > being sold on the black market, that will never happen on my watch, ever! If you look carefully, you'll see I was replying to Kevin, who did make a comparison to selling to blackhats. I hadn't even seen your note at the point, and I wasn't replying to you, and I didn't quote anything you wrote. So I assume you think I was saying that your company is selling to blackhats. I wouldn't think you were. Certainly you don't mean to claim that, in general, the entire market never sells to blackhats, nor that you have any control over what others do. > More importantly, the company that I am working with is no different > than iDefense. In fact, they both sell their exploits and harvested research > to the same people. The only real difference is in the amount of money that > the researcher realizes when the transactions are complete. This difference > is a direct result of low corporate overhead. > > Lastly, all transactions require that the researcher engage the company > that I work with in a tight contract. This contract ensures that both > parties are legitimate and also protects both parties. They don't do that on > the black market do they? So, is the problem that I didn't realize you guys also bought vulns, and that you pay more? No, I had no idea that you did. I guess some better marketing is in order. The quarterly challenge thing is pretty good for publicity, maybe you guys should do one of those. BB
