Hacker News new | past | comments | ask | show | jobs | submit login

> “Zerodium customers were aware of it since 3 years.”

This is why we can't have nice things. Zerodium, thanks for being honest, but services such as yours are actively making the internet a worse place.




As someone that has sold exploit code to various brokers in the past, I don't think Zerodium are making the internet a worse place. I forget the exact year but it was around 2004 - 2006 one of my friends reported a vuln to phpbb, they openly mocked her and downplayed the issue with no fix. She put together a professional looking report on how it works and submitted it privately to the product team, she was then ignored and banned from their IRC. She then published the exploit publicly and they sued her, they forced her ISP to take punitive action and they contacted her college to try and get her suspended.

Fuck reporting vulns, fuck open disclosure. Just sell what you find to brokers.

Cahouki Bekrar says there are three options:

1. Full disclosure so anyone/Govs can (ab)use it without limits/regulation

2. Sell to Govs/brokers and get a decent revenue while limiting (ab)use

3. Report to vendors & get sued, or get shitty bounties and/or your name in advisories

I agree with him.


Cannot upvote this enough. Finding vuln is one thing, other thing is power structures, politics, people feelings in companies or oss projects that are hit with that vuln.

Yeah it should be a learning experience, fix it and get over it. But it is not easy if you have 3 people waiting for you to slip to get your position. Some other want make money on writing a story about how bad your software is, even though it might be not your issue (VLC-bug story) because software is complicated. Good luck with explaining that was not your fault...


> She then published the exploit publicly and they sued her

So you're saying that a bunch of volunteer open source developers collectively sued a security researcher? That sounds like it would have made for an epic Hacker News story. Do you have any documentation that this happened?


Look up ‘santy worm’ and the now defunct “howdark.com”. It never ended up in court, it went as far as lawyers letters until they backed doen. It wasn’t phpbb that sent the lawyers letters, it was a business owner that used phpbb that was hit by the santy worm. The lawsuit would have likely gone nowhere but she still had to spend cash on her own lawyers, she was 19 at the time and did nothing more than a standard vuln disclosure to the community. This isn’t even an extreme case, there’s much worse.


Having dealt with some disclosure issues in the past, its fraught with peril.

There's even a conference dedicated to it now: https://www.disclosureconference.com/

Its probably worthwhile to attend.


I'm surprised it took this long to be found. Searching for shell_exec() and/or exec() in the source would be the first thing I'd do if looking for RCE.


Well it was

    eval($code);
so it's even worse. Those two wouldn't show up, but you can call them if you want to!


The examples they gave are just that, examples. Someone actually searching would enter a term like "eval(" so as to find usage of that function, regardless of what the actual arguments were


I think the anonymous researcher that disclosed it more broadly now is the one making the internet a worse place

Why do our opinions differ?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: