Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Vista
Groups argue over merits of flaw bounties
Robert Lemos, SecurityFocus 2006-04-05

Vancouver, CANADA--Vulnerability researchers, software makers, and security companies that buy information about software flaws found little common ground during a panel discussion on Wednesday debating the merits of vulnerability-purchasing programs.

Comments Mode:
Groups argue over merits of flaw bounties 2006-04-06
KF (1 replies)
Re: Groups argue over merits of flaw bounties 2006-04-06
Tom Ferris
Groups argue over merits of flaw bounties 2006-04-07
Matthew Murphy
Groups argue over merits of flaw bounties 2006-04-07
TJ (2 replies)
Re: Groups argue over merits of flaw bounties 2006-04-07
Anonymous
Re: Groups argue over merits of flaw bounties 2006-04-08
Matthew Murphy
"May be I'm naive. But, why not leave the vulnerability research to the software vendors who make the products? Let them sink or swim based on how they maintain-patch them."

Because it's not that simple.

"If you choose to help, it's at your own risk, unless some type of contract-agreement has been created with the vendor for doing such work."

Untrue. Particularly in cases where issues of critical infrastructure security are at stake, I expose myself to legal liability by making no efforts to see a vulnerability I find resolved. I don't "choose" to make the vulnerability known. Legally, I'm obligated to. Granted, few people will be prosecuted for this, but I don't feel like breaking the law.

"I understand many want to help in the sense of protecting end users and the industry as a whole. But, may be helping is actually hurting. May be by helping them, they're not being held fully accountable for their own product."

Protecting end users and the industry isn't really the motive. It's an end game goal, but many researchers are individuals securing their own networks or contracted professionals charged with securing clients' assets. Vulnerability research is an indispensable part of that work. We can't quit doing vulnerability research and we can't (ethically, and in most cases, legally) just ignore vulnerabilities we find.

I, for one, see vulnerability rights and trade as the PERFECT way to hold vendors accountable. It forces the people responsible for writing and releasing buggy code to pay for their choice.

Payment should be assessed from a scale based on the profit margins of the product for affected vendor(s), exploit complexity and damage potential. Further sliding scale penalties should be assessed until the vulnerability is patched to compensate the researcher for his/her time in coordinating with the vendor. This will also encourage vendors whose patch processes are woefully inadequate in the efficiency department to step it up. Ideally, open-source and free software vendors would be obligated to pay nothing, because this would simply run them out as competition, rather than motivating them to secure their code.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11386/33611#33611
Groups argue over merits of flaw bounties 2006-04-10
Anonymous (1 replies)
Re: Groups argue over merits of flaw bounties 2006-04-10
Anonymous







 

Privacy Statement
Copyright 2008, SecurityFocus