Where does the line fall between just trying to earn money for some hard work and blackmail? I feel if we make this "legal" the next price for a "major" vulnerability won't be $1200. Tack on a couple more zeros at the end of that and you'll get your starting bid. Then what happens when the "researcher" doesn't get his price? What does he do with the information? What if the information is useless? Who does the flaw auction actually hurt? The company that now has to bid for its flaw? Possibly. I assure you that this cost will either be passed off to you the consumer or cause a business to go under.

And who else wants that flaw and why? What true significance does this flaw hold for anyone but the developer of the software to fix? I stand by eBay's decision to pull the "pen and paper". I also feel that software companies should have a reward system. Paying for flaws once the extent/criticality of the flaw is determined. Their policy should be public as well as pricing. The better the pay, the more people will hunt for that hidden egg, the more secure the product? In theory yes. Flip side of that is that companies that can dish out the money might skimp on the security and code testing in the beginning but that just means more money to the independent testers. Still sounds good to me.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11364/32883#32883