So you’ve got a zero-day – do you sell to black, grey or white markets? Barely a decade ago the mere idea of selling vulnerabilities was highly controversial. Today the market is mature, but increasingly complicated - researchers can now choose between making lots of money, being moral and making less, or going fully black. The 2015 pwning of Italian surveillance-ware-for-governments vendor …
...and get blackmailed into working for whatever government is on offer in your area. A silver or lead proposition. Given complexity of the civil, tax, and criminal laws in most wester countries it can seem damn near impossible to stay squeaky clean all the time.
Not even a new problem... Supposedly Richelieu wrote "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
Because we owe no loyalty to the assholes who can't write good code any more and put us all at risk. .... ecofeco
One needs to realise and go considerably further than just that, ecofeco, and decide there is no loyalty available to that and or those who can't write good code .... for machines too are learning to deal in the dark and subtle arts which lead successfully in one class of media presented theatre or flash crash systems spontaneously and catastrophically in other engaging theatres ie beyond any possible repair ..... or for that and those putting any at risk of harm and arbitrary executive order sanction/termination with extreme prejudice without any notion about how to read/write any sort of good code.
To imagine there be any supportive code of chivalrous conduct towards proven to be constantly failing to learn from mistakes bodies/corrupted entities, will not be helpful and can easily be deadly too. Such then is always best smartly avoided and to be roundly circumvented with no personal dealings. Let Proxies take the Strain and Suffer the Pain whenever Great Gains are to be Tainted in Delivery to Provide and Ensure and/or Insure Against Prime Asset Capture for Exclusive Pilfered Use by Unsavoury Second and Third Party Parties of Captured Prime Asset Proprietary Intellectual Property ..... Raw Native Novel Source.
"In the US State of Georgia’s a proposed hacking law could criminalize researchers for doing their job"
So many stupid things have happened there.
We know that FB sold information to Cambridge Analytica which was used to target citizens in various elections around the globe. Both FB and CA made a ton of money. FB was also the platform of choice for Russian trolls. So FB made money from them.
I KNOW I will never do this but as a security professional, I can see an immoral person justifying selling an FB 0 day to a foreign agency and keeping the money for himself. This is a very slippery slope.
Companies are making a ton of money writing bad software and not following SDLC. Shouldn't they be to blame? I can see occasional mistakes slipping through the cracks but a whole slew of them? Every day I hear of flash 0 days. What is up with that? And they are still making money?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
