The standard is completely irrelevant. If you look at the number of interesting vulnerabilities actually found by these companies, only ISS via Duke and Zip has been any competition for a real researcher. These companies are all in-hock to Microsoft via large consulting contracts anyways. In fact, the system they set up pretty much assumes that you don't want to make any money off of your research, because you're using it as a loss-leader. But a researcher, by definition, does not use his work as a loss-leader. Instead, we make significant amounts of money on it, by selling that valuable information to companies that are willing to pay for it.

For example, sometimes I put an 0day into CANVAS, which costs 1000 dollars. Peanuts. But Microsoft does not want to pay for CANVAS, so they do not get those 0day. Likewise, if I do not pay for Windows XP, they will not send me updates.

Needless to say, Immunity, and any company that does real research, will not be following this documented policy that robs us of our income.

Dave Aitel

Immunity, Inc.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/5458/20327#20327