Mark Rasch, 2003-11-10
Instead of paying hard cash to punish computer criminals, vendors should reward grey hat hackers for responsibly finding and reporting the security holes that make cyber attacks possible.
Colapse all |
Post comment
Proposed: a Bounty for Bugs
2003-11-11
Anonymous (1 replies)
Anonymous (1 replies)
There is already a system simular to this (adleast for the greyhat hacker) It's the iDEFENSE vulnerability contribution program.
though iDEFENSE pays the hackers.
...
[ more ] [ reply ]
though iDEFENSE pays the hackers.
...
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-13
Mark Rasch
Mark Rasch
The problem is not getting grey hats to contribute, it is getting companies to be responsible for responding. Sure, most of the vulnerabilities are known, and you need good rules to define when someone gets a bounty. Also, the system should allow for simple "credit" or even just compensation for c...
[ more ] [ reply ]
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-11
Psuedo-Anonymous Coward (1 replies)
Psuedo-Anonymous Coward (1 replies)
I'd like to see the Bug Bounty funded by fines levied against those who fail to patch in a timely manner....
[ more ] [ reply ]
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-11
Anonymous (1 replies)
Anonymous (1 replies)
You forget one thing: Hackers are not corporate beings, and don't like to be shoehorned into corporate processes and procedures, especially not when it means more work than fun. Scratch that idea.
And a bounty will only attract other types of hackers -- not those interested for the sake of intere...
[ more ] [ reply ]
And a bounty will only attract other types of hackers -- not those interested for the sake of intere...
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-13
Anonymous
Anonymous
white,black,gray or combinations...it doesn't matter, does it? companies only need to know the bug, not who found it.of course they would prefer that their employees make such discoveries, or even better program securely and not introduce those kind of problems, but that's their hiring policy proble...
[ more ] [ reply ]
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-11
agent1
agent1
While this is a great idea, the problem would be companies stating they were already aware of that bug to avoid paying out money. They would then make a fix for it now that they really were aware of it thanks to the grey hat, and nobody would ever receive any compensation. If a contract could be mad...
[ more ] [ reply ]
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-11
Theuns
Theuns
Interestingly, recent events appear to demonstrate the inverse: find a bug, tell the company, get slapped with a civil or criminal lawsuit.
After all, we couldn't have people going telling others about the bugs in systems, now can we?
[In other words, before this is feasible, a culture change ...
[ more ] [ reply ]
After all, we couldn't have people going telling others about the bugs in systems, now can we?
[In other words, before this is feasible, a culture change ...
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-12
Bob Weiss - Passsword Crackers, Inc.
Bob Weiss - Passsword Crackers, Inc.
I added a comment to the OIS proposal regarding requests for compensation from security researchers who have identified vulnerabilities. The gist of the comment was that I felt that the OIS proposal did not deal with when and how such a request would be legitimate. I think that creating an economi...
[ more ] [ reply ]
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-12
Anonymous
Anonymous
It's a great idea in theory, but I think in reality it will be too hard to implement. Most notably it would be almost impossible to figure out the rate at which people would be paid; And if company x screws you and pays you less than you deserve you have little legal recourse. Though thinking like t...
[ more ] [ reply ]
[ more ] [ reply ]
Proposed: a Bounty for Bugs: A Notoriously Bad Idea
2003-11-12
Michael Sierchio (1 replies)
The problem with offering what amounts to
a prize for discovering and revealing a
security flaw is plainly evident: what if
the discoverer decides that the potential
reward of not disclosing the defect is greater
than the offered prize?
...
[ more ] [ reply ]
Michael Sierchio (1 replies)
The problem with offering what amounts to
a prize for discovering and revealing a
security flaw is plainly evident: what if
the discoverer decides that the potential
reward of not disclosing the defect is greater
than the offered prize?
...
[ more ] [ reply ]
Proposed: a Bounty for Bugs: A Notoriously Bad Idea (NOT)
2003-11-13
Raindeer (1 replies)
Raindeer (1 replies)
Michael, you're worried what might happen if somebody values the worth of not disclosing a vulnerability higher than the reward for disclosing it to the vendor. You see this as the major flaw in the scheme.
Explain to me please how this is different from the current situation where you get nothin...
[ more ] [ reply ]
Explain to me please how this is different from the current situation where you get nothin...
[ more ] [ reply ]
Proposed: Pay for non-disclosure
2003-11-17
Anonymous
Anonymous
Why don't the researchers come up with an estimate of the value of their exploit.
Then they contact the vendor and say, "I have discovered a new exploit against your software. I realize it takes time to repair such things and I am willing to withold disclosure for $100 per day, negotiable. I will...
[ more ] [ reply ]
Then they contact the vendor and say, "I have discovered a new exploit against your software. I realize it takes time to repair such things and I am willing to withold disclosure for $100 per day, negotiable. I will...
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-13
Anonymous
Anonymous
There are some points that need considering here:
- Opensource
When the next BIND/OpenSSH/etc bug is found, who is going to pay up? In effect you'll be making it more worthwhile to rip into Windows than concentrate on the broad spectrum of software
- Penalties for Vendors
If the vendor d...
[ more ] [ reply ]
- Opensource
When the next BIND/OpenSSH/etc bug is found, who is going to pay up? In effect you'll be making it more worthwhile to rip into Windows than concentrate on the broad spectrum of software
- Penalties for Vendors
If the vendor d...
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-13
Anonymous
Anonymous
This could also be seen as an incentive to programmers to write buggy code for their employers. They could then split the bounty with the anonymous gray hat (or be the anonymous gray hat themselves) for finding something they put in. Especially with the anonymity aspect, folks doing debuging work wi...
[ more ] [ reply ]
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-13
Sunil James - Director, iDEFENSE
Sunil James - Director, iDEFENSE
This is a great discussion, one that will surely continue at the Vulnerability Disclosure conference in Stanford next week. Not trying to toot my own horn, but iDEFENSE recognized this path over a year ago and implemented its Vulnerability Contributor Program (VCP) so as to provide a manner in which...
[ more ] [ reply ]
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-15
Anonymous (1 replies)
"If the vulnerability creates a substantial risk to the vendor, or the product's users, the vendor would pay a bounty for the discovery, in addition to giving the finder proper credit. So, for example, the vendor could pay $6,000 for a vulnerabilitiy"
Why should a company who employs smart and ...
[ more ] [ reply ]
Anonymous (1 replies)
"If the vulnerability creates a substantial risk to the vendor, or the product's users, the vendor would pay a bounty for the discovery, in addition to giving the finder proper credit. So, for example, the vendor could pay $6,000 for a vulnerabilitiy"
Why should a company who employs smart and ...
[ more ] [ reply ]
Proposed: a Bounty for Bugs
2003-11-18
intruder
intruder
>>>Why should a company who employs smart and
>>>well trained professionals rely on unknown
>>>greys to find the security holes and audit >>>their code?
ok. to be serious, whitch company realy has that? they throw beta stuff on the market as "final release" and let the customer be the testdude. ...
[ more ] [ reply ]
>>>well trained professionals rely on unknown
>>>greys to find the security holes and audit >>>their code?
ok. to be serious, whitch company realy has that? they throw beta stuff on the market as "final release" and let the customer be the testdude. ...
[ more ] [ reply ]
See, vendors are happy to have everyone do free or extremely cheap QA for them. They'd like to set the price for the rest of us on our information.
Aka, your plan is crap.
-a researcher....
[ more ] [ reply ]