Ethics question
#1
I’ve felt increasing frustrated with how software vendors handle security issue reporting. I rarely feel motivated to research let alone report to vendors with the treatment I get. Would it be wrong to sell exploits to exploit brokers who give the information to law enforcement? Honestly as a student the money is much needed along with rising medical costs. Advice anyone?
Reply
#2
(09-18-2018, 12:24 PM)lunorian Wrote: I’ve felt increasing frustrated with how software vendors handle security issue reporting. I rarely feel motivated to research let alone report to vendors with the treatment I get. Would it be wrong to sell exploits to exploit brokers who give the information to law enforcement? Honestly as a student the money is much needed along with rising medical costs. Advice anyone?

Well I would say it is not the best option but morally there are worst things imo.
I can understand you, vendors are usually scared and that's why they treat vuln researchers badly.
I don't really want to influence you my thoughts are mixed up regarding this.
Reply
#3
One program I found https://zerodium.com/program.html pays quite a bit for exploits including PHP ones (which are kinda easy (for me at least), however sometimes time consuming, to find). The amount is really enough to make me consider it and with my current level of stress and frustration it's quite tempting.
Reply
#4
(09-19-2018, 01:05 AM)lunorian Wrote: One program I found https://zerodium.com/program.html pays quite a bit for exploits including PHP ones (which are kinda easy (for me at least), however sometimes time consuming, to find). The amount is really enough to make me consider it and with my current level of stress and frustration it's quite tempting.

Then go for it, in the end you should get a reward for your efforts, i dont think it's unethical at all to sell the exploits, in a way it's not more unethical then working for a boss or a major company.
Would it be unethical to work at google, logging the behaviour of people online to target them commercially?
basically google is an advertising company and not a search engine anymore.
Would it be unethical to work for facebook, that keeps you in a selective world, showing what you want to see, keeping you in the bubble called your own world.
If you raise this question for everything around you, theres always a point of view where it is unethical to some degree, and from another point of view it isn't. It just depends on your point of view.

I raised the question for myself if it was unethical that i supported the development/role that computers play in modern society....... it brought good, as well as bad.
The ethical or unethical question would more be for the government(s)/companies that would buy your exploits, and use it in a certain way, with a certain goal.
Reply
#5
Usually when it comes to ethics questions, if you have to ask, it's probably not ethical. Now having said that, selling exploits is not a big deal. I sell them all the time. I also sell my services for people who have been fucked over by individuals. So it depends on your moral compass, mine usually points to Hell, so you know..
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Question] Security related Hardware project ideas Psycho_Coder 7 19,234 11-09-2015, 03:29 PM
Last Post: Psycho_Coder