Dailydave mailing list archives

By Date

By Thread

Re: No more free bugs (and WOOT)

Charles Miller wrote:

At this point I'm not even concerned with making "reasonable" money. I'd be
happy with researchers getting any money.

Oh?!

(I know there are stopgap solutions like ZDI which is great, but buying bugs
is not really their core business)  I'd love to see what would happen if
nobody reported any bugs for a year.  Would the vendors start paying?

I see no incentive on their side.

Would they even care?

Why would they?

Of course, if we assumed that half of those researchers, who stopped notifying
vendors, went underground (I mean commercialized cyber-crime here), then maybe
*some* vendors (e.g. A/V) would be willing to hire more analysts. Of course, the
AV would love the whole situation with more cyber-criminals all around (hush!).
In fact, those few researchers that didn't go underground, would love the
situation too (more jobs offerings).

But the whole point of this initiative, AFAIU, is to find out a *legal* way of
making money on bugs.

I don't have the solution, I just know nothing will ever change if the status
quo remains.  The only thing we can do is stop giving away our work and see
what happens.

And who said, we're giving it away for *free*? Some of us gets recognition for
our research and *legit* consulting/research jobs in return. We show our skills,
we get a job -- this is how it has worked for many years.

Also, maybe finding the n-th QuickTime or Acrobat bug isn't really worth that
much as some of us would like to think (based on what we hear the underground
pays)? While I can totally appreciate and admire a well written exploit, this is
more of an art, rather than something of an utmost importance for the industry.
I mean... what really does this n-th bug for Acrobat (or even exploit) changes?
Proves anything? Maybe such things aren't simply worth that much in the *legit*
world?

I think the ideal solution would be all the big vendors would have to
contribute to some fund (held at CERT or something) which could be used to
pay independent researchers who find and report bugs.

That smells communism to me ;) Not that I remember much of those times
myself, but anyway ;)

joanna.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

By Date

By Thread

Current thread:

• No more free bugs (and WOOT) Charles Miller (Apr 08)
  • Re: No more free bugs (and WOOT) Joanna Rutkowska (Apr 09)
    • Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
      • Re: No more free bugs (and WOOT) Joanna Rutkowska (Apr 09)
  • Re: No more free bugs (and WOOT) sinan . eren (Apr 09)
  • Re: No more free bugs (and WOOT) Julien TINNES (Apr 09)
    • Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
      • Re: No more free bugs (and WOOT) Julien TINNES (Apr 09)
      • Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
  • Re: No more free bugs (and WOOT) Professor 0110 (Apr 09)
    • OWASP Podcast w/ Dave Jim Manico (Apr 10)
  • Re: No more free bugs (and WOOT) Sebastian Krahmer (Apr 09)
  • Re: No more free bugs (and WOOT) Matthieu Suiche (Apr 09)