FrSIRT Puts Exploits up for Sale
Posted by jericho
FrSIRT Puts Exploits up for Sale By Ryan Naraine March 15, 2006
Independent security research outfit FrSIRT.com is putting its database of security exploits behind the paid curtain.
FrSIRT, previously known as K-Otik, has shut down the public exploits section of its Web site and announced that all exploits and proof-of-concept code will be sold through its subscription-based VNS (Vulnerability Notification Service).
Since they presumably didn’t write a majority of their exploits, what is the motivation for people to keep sending in such code if it will be used for profit? Wouldn’t exploit writers send it to Securiteam or another site that focuses on the code more than vuln tracking?
http://www.frsirt.com/exploits/
“In conformity with applicable French laws prohibiting Full-disclosure, the FrSIRT will no longer distribute exploits and PoCs on its public web site. Public exploits section has thus been definitively closed.”
So French law makes it illegal to offer it for free, but legal to sell it?
This is interesting. Especially as you point out, they don’t necessarily own the exploits on their site. So how does that affect the possiblity of profiting off of them?
Yes, that is an entirely different but interesting debate that has been going on the last few days as well. The people who wrote the exploits and sent them in, were they warned their work would be used for commercial gain? Were they compensated? Does French law allow them to sell other people’s copyrighted work like that?