On Thu, 18 Oct 2001, Don Weber wrote: > after reading the "0-day exploit..do i hear $1000?", I would tend to think > it would be reasonable for at least the major vendors to give rewards for > people finding vulnerabilities in a product, considering, those same vendors > have spent lots of money alpha/bet testing the product, still not finding > the same vuln's... This reminds me of a joke I heard years ago about software company x offering QA testers a cash bonus for bugs found. There was suddenly a huge underground market fueled by a large increase in bugs. I think that specifically dealing with exploits and the like, this is an area that is working just fine (given the circumstances and the nature of the business). I personally find RFP's approach (and many others) to be exceedingly appropriate. As soon as $$ is introduced into the mix, many aspects of security and disclosure suddenly become extremely suspect. Do we trust MS to fully disclose all of their security issues? Nope. Why would somebody off in a dark corner of the world coding for cash necessarily make me feel more secure? I'm not trying to take any potshots here, I'm just throwing out some legitimate concerns. --Rebecca Kastl
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 19:40:35 PDT