Tweet
I'm referring to an EWeek print article Dealing In Vulnerabilities Vol. 25 #4 Page 14 2/4/08. If you don't have the rag, it's talking about the Realplayer exploit discovered 12/16/07 and as of 1/31/08 still un-patched and Real Networks can't seem to find the exploit in their own code.
So what do people think about individuals/companies that specialize in breaking other peoples software for the purpose of selling the info for profit either back to the software manufacturer or other interested parties.
Is this fair game, good for software security, bottom feeding, or extortion? So what do you think about companies like Gleg featured in the article?
xor
Time Line According to EWeek
12/16/07 Gleg ships RP exploit to subscribers of the VulnDisco exploit pack
1/01/08 Gleg release video of exploit
1/02/08 Realnetworks contacts Gleg to ask for flaw info. Gleg refuses
1/03/08 Carnegie Mellons CERT/CC issues an alert and attempts to get info from Gleg. Gleg refuses
1/31/08 Exploit still unpatched
Here is a video of the exploit http://www.gleg.net/realplayer11.html
So what do people think about individuals/companies that specialize in breaking other peoples software for the purpose of selling the info for profit either back to the software manufacturer or other interested parties.
Is this fair game, good for software security, bottom feeding, or extortion? So what do you think about companies like Gleg featured in the article?
xor
Time Line According to EWeek
12/16/07 Gleg ships RP exploit to subscribers of the VulnDisco exploit pack
1/01/08 Gleg release video of exploit
1/02/08 Realnetworks contacts Gleg to ask for flaw info. Gleg refuses
1/03/08 Carnegie Mellons CERT/CC issues an alert and attempts to get info from Gleg. Gleg refuses
1/31/08 Exploit still unpatched
Here is a video of the exploit http://www.gleg.net/realplayer11.html
Comment