Re: 0-day exploit..do i hear $1000?

From: dullienat_private
Date: Fri Oct 19 2001 - 08:19:28 PDT

Next message: Jose Nazario: "Re: 0-day exploit..do i hear $1000?"

Previous message: foobat_private: "Re: 0-day exploit..do i hear $1000?"
In reply to: RT: "0-day exploit..do i hear $1000?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey all,

Something that should really be considered is that people finding bugs in
products do unpaid quality assurance for vendors. If that person doing
this research is not part of a company he doesn't benefit from
publishing his work at all - especially if he doesn't intend on being
hired by one in the near future either. Therefore he has no reason to
publish anything.

Most people looking for bugs these days are not regular customers of
the software they're looking at, therefore having the bug fixed is not
in their interest either as it would be for someone actually using the
product.

From this angle it would be sound & fair for large (especially
security-conscious) coorporations to put up a 'reward' for serious
security vulnerabilities (in their products)being reported to them.

I can understand the anger of certain exploit authors - they sit in
their rooms, have published exploits, and now some guy who is using
the exploits as a pen-tester makes money off them without the original
author ever having seen a dime - noone can claim that this is fair.

A fundamental question to be raised here is that of intellectual
property for bugs - as the author of software can hardly be considered
the copyright holder for any bugs he has inserted one should perhabs
consider if the person who first detects the bug holds intellectual
ownership of it and can thus prevent people who are not licensed to
use it from using it.

This is very dangerous as it would legitimate software patents as
well, but then again, software patents seem to be acceptable behaviour
in the less civilized parts of this planet.

A completely different issue here would be bug classes: Suppose
something like a new 'format string bug'-class is around with the
property of making 50% of the existing systems insecure, could I as
the 'inventor' of this bug class try to patent it ?
Would that make everyone who is trying to use a bug of that class
suspectible to paying me licensing fees ? I can see the pen-testing
business turn a lot towards being less profitable...

So, who owns the bug if it is discovered ? Why shouldn't trading bugs
(even for money) be regarded as fair ?

I know the implications. We'd all land in jail very quickly ;)

Cheers,
dullienat_private
-- 
Mit freundlichen Grüssen
dullienat_private                            mailto:dullienat_private

Next message: Jose Nazario: "Re: 0-day exploit..do i hear $1000?"
Previous message: foobat_private: "Re: 0-day exploit..do i hear $1000?"
In reply to: RT: "0-day exploit..do i hear $1000?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 09:15:51 PDT