Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No more free bugs (and WOOT)

From: Julien TINNES <jt () cr0 org>
Date: Thu, 9 Apr 2009 00:04:15 +0200
On Wednesday 08 April 2009, Charles Miller wrote:

Hi Julien,

I think you misunderstand.  I'm all for responsible disclosure.  I
just think those doing the disclosure should be rewarded for their
efforts.  (This is how NMFB is fundamentally different from
antisecurity.is I believe)


In an ideal world yes, as should people finding other (non-security) bugs.


As for benefitting the general public, if researchers were actually
rewarded for their work, more of them would look for (and report)
vulnerabilities and the public would actually be better off.  Ask
yourself the question, would more IE bugs be found if the reward was a
researchers name in an advisory or a bug lump of cash.


If a software company wants to give bounties for this, I think it's a good 
idea, but I'm not sure how this campaign may help. 

If researchers stopped releasing bugs for free, companies would not suddenly 
start paying for them.
Unfortunately most software companies would be perfectly happy without all 
those pesky hackers messing around with their code.

It's already hard to get some software companies care and correct the bugs you 
give them for free (I have numerous examples, as I'm sure you do), I can't 
imagine what the situation would be if they had to buy them.
It may actually give them a perfectly valid excuse for not looking at the bug.

To me, full disclosure would be more of a solution to this particular problem 
than trying to sell bugs. Unfortunately, it has lots of unwanted side effects 
too :)

Julien
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: