Hi, Eric wrote on Wed, Jul 04, 2018 at 01:55:17PM -0500:
> The solution is obvious. If there are any bug fixes of sufficient > importance, report the bug, collect the $500,000 for the foundation, > and then fix it. i can hardly believe this needs to be said, but given the lack of any smiley, and given the presence of several purportedly "humorous" postings in this thread: Given that the very *purpose* of the company trying to buy these exploits is to earn money from COVERTLY BREACHING THE PRIVACY OF SOFTWARE USERS, i'm calling out that company, and any other company with a similar business plan, as a particularly bad instance of ORGANIZED CYBERCRIME according to any reasonable moral standard. For example, i believe that this kind of criminal activity is SUBSTANTIALLY WORSE than ordinary credit card fraud because such companies put hundreds of millions of people at risk who do not even learn that they were harmed, not even after the fact, whereas with ordinary fraud, the victim at least knows about the completed crime. Besides, what this company does is life-threatening, whereas credit card fraud only puts your money in danger. So i'm adamant that anybody even remotely considering to do any kind of business with such a company must be instantly expelled from any kind of free software project. Besides, you can't be so naive as to think that you will see any money from such a criminal enterprise without signing an NDA to NOT DISCLOSE THE VULNERABILITY TO THE SOFTWARE AUTHOR (or anyone else)? Besides, even if you could retain the right to publish the vulnerability you reported, it is an obvious requirement of basic ethics that you report potentially dangerous bugs as soon as possible TO THE SOFTWARE AUTHOR, in particular, before talking to anybody else about them, and that you do not disclose the problem to third parties before the vulnerability is fixed, unless the author fails to fix the problem within reasonable time, typically a few days, sometimes maybe a few weeks. So the order of actions you are proposing is close to criminal as well. Now, can we please stop this thread? Even joking about these matters is hardly funny because it implies an insinuation that there might be anybody involved in OpenBSD who might remotely consider doing business with such criminal organizations, or that there might be any bribable or corrupt people in the vicinity of the project. Such insinuations are not funny. The question how such criminal organizations could be abolished might be considered politically interesting by some, but even that question is totally off-topic on misc@. It is simply and plainly unrelated to OpenBSD. The only on-topic aspect is the fact that state agencies exist that actively and systematically attempt to compromise the security of any kind of software, including free software, including OpenBSD. But that is not news.
