Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Groups argue over merits of flaw bounties
Robert Lemos, SecurityFocus 2006-04-05

Vancouver, CANADA--Vulnerability researchers, software makers, and security companies that buy information about software flaws found little common ground during a panel discussion on Wednesday debating the merits of vulnerability-purchasing programs.

Comments Mode:
Groups argue over merits of flaw bounties 2006-04-06
KF (1 replies)
I am personally tired of vendors simply expecting me to hand over my research for free. My time is worth more than that... I am not a source of free Q.A. . I should be paid for my time just as any other worker would.

Vendors have no place to complain about responsible disclosure et all when they...

[ more ]  [ reply ]
Re: Groups argue over merits of flaw bounties 2006-04-06
Tom Ferris
I totally agree with you. Vendors expect flaw information for free. As for the credit thing, last I found out getting credit on a vendor advisory didnt pay any of my bills. ;)...

[ more ]  [ reply ]
Groups argue over merits of flaw bounties 2006-04-07
Matthew Murphy
Minor clerical issue. The wording that reads "cuffed and..." should have a period in place of 'and'. The following word is merely for emphasis.

And yes... dealing with third-parties is certainly a safer revenue source than going to vendors asking for money for vulnerability reporting... :-)...

[ more ]  [ reply ]
Groups argue over merits of flaw bounties 2006-04-07
TJ (2 replies)
May be I'm naive. But, why not leave the vulnerability research to the software vendors who make the products? Let them sink or swim based on how they maintain-patch them. If you choose to help, it's at your own risk, unless some type of contract-agreement has been created with the vendor for doing ...

[ more ]  [ reply ]
Re: Groups argue over merits of flaw bounties 2006-04-07
Anonymous
In reply to TJ's post, I don't think thats the right attitude at all. By doing that your leaving yourself at risk as well as everyone else. Just because a vulnerability is not reported to a vendor does not mean its not known.

Also many vendors will not learn on their own how to handle security ...

[ more ]  [ reply ]
Re: Groups argue over merits of flaw bounties 2006-04-08
Matthew Murphy
"May be I'm naive. But, why not leave the vulnerability research to the software vendors who make the products? Let them sink or swim based on how they maintain-patch them."

Because it's not that simple.

"If you choose to help, it's at your own risk, unless some type of contract-agreement has ...

[ more ]  [ reply ]
Groups argue over merits of flaw bounties 2006-04-10
Anonymous (1 replies)
It is too bad that the author decided not to include Jennifer Grannick's point of view. She was the only person in the panel that indicated that this whole thing does not help the end users and should be considered as a matter of public safety not as a business opportunity of for-profit organization...

[ more ]  [ reply ]
Re: Groups argue over merits of flaw bounties 2006-04-10
Anonymous
Jennifer Grannik...isn't she the lawyer who defends just about every convicted hacker? Yeah, of course she's against this. It gives her clients a source of income and keeps them out of jail...and therefore not needing her services. Everybody is in it for their own interests. ...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus