Dailydave mailing list archives
Re: No more free bugs (and WOOT)
From: Charles Miller <cmiller () securityevaluators com>
Date: Wed, 8 Apr 2009 13:43:22 -0500
Hi Julien, I think you misunderstand. I'm all for responsible disclosure. I just think those doing the disclosure should be rewarded for their efforts. (This is how NMFB is fundamentally different from antisecurity.is I believe) As for benefitting the general public, if researchers were actually rewarded for their work, more of them would look for (and report) vulnerabilities and the public would actually be better off. Ask yourself the question, would more IE bugs be found if the reward was a researchers name in an advisory or a bug lump of cash. I'm not entirely sure what you mean about Pwn2Own, but if you are referring to the guy who had the already disclosed Safari bug(s), I beat him, not because his bug was already disclosed - and hence fell outside the rules, but rather because my name was randomly selected first :p Charlie On Apr 8, 2009, at 1:23 PM, Julien TINNES wrote:
On Wed, Apr 08, 2009 at 11:17:29AM -0500, Charles Miller wrote:Hi everybody. You may have heard some about the No More Free Bugs campaign (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/ ) Basically, it is the chance for researchers to unite to get paid for the hard work we do. As long as folks continue to give bugs to companies for free, the companies will never appreciate (or reward) the effort. So I encourage you all to stop the insanity and stop giving away your hard work. If you believe in the No More Free Bugs campaign, please include our logo (http://nomorefreebugs.org/ logo.jpg) on all of your presentations at security conferences. I think it would be really great if vendors sat through an entire conference and every talk had this logo on it. I'll definitely have it on my BlackHat Europe slide deck next week.Hi, I don't understand the point of the campaign. Why are you trying to convince people not to report bugs responsibly directly to vendors? What harm would it do ? I can understand the reasons for a researcher to sell bugs to ZDI or iDefense, I cannot understand how it could benefit the general public if all security researchers would do so. Are you trying to make vulnerability selling a bigger market so that prices go higher? Please, sit on vulnerabilities for months if you think this is what good security researchers do [1], sell your bugs if you want (and there is certainly a lot of appeal to do so), but don't try to convince everyone else this is the way things should work! Or next year your opponent's efforts may not fall outside the pwn2own criteria and you may not win ;) Julien [1] http://www.securityfocus.com/news/11549
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- No more free bugs (and WOOT) Charles Miller (Apr 08)
- Re: No more free bugs (and WOOT) Joanna Rutkowska (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) Joanna Rutkowska (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) sinan . eren (Apr 09)
- Re: No more free bugs (and WOOT) Julien TINNES (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) Julien TINNES (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) Joanna Rutkowska (Apr 09)
- Re: No more free bugs (and WOOT) Professor 0110 (Apr 09)
- OWASP Podcast w/ Dave Jim Manico (Apr 10)
- Re: No more free bugs (and WOOT) Sebastian Krahmer (Apr 09)
- Re: No more free bugs (and WOOT) Matthieu Suiche (Apr 09)