I added a comment to the OIS proposal regarding requests for compensation from security researchers who have identified vulnerabilities. The gist of the comment was that I felt that the OIS proposal did not deal with when and how such a request would be legitimate. I think that creating an economic incentive for finding and exposing vulnerabilities or bugs is a good way to go. This issue is not only about notification, but should also be about incentive. Serious security researchers cannot be expected to continue to expose flaws out of the goodness of their hearts. They become, in effect, QC and testers for the manufacturers. Quality research in this area should be compensated. Initially, I thought that the guidelines might embrace a methodology for negotaition between the manufacturer and researcher, but a fixed "bounty" might also be a way to go. I expect that the "bounty" should not be high enough to be punitive, but should be based on some reasonable estimate of the amount of time that can go into this work. Punitive penalties will be handed out by the courts, eventually, when enough users are hurt by a software company that knowingly releases software that is insecure. A "bug bounty" would open the market to a wide range of hackers and security professionals who would actively identify flaws and vulnerabilities. Combined with an industry standard for proper notification of users and some time for manufacturers to issue and test patches I think we would be approaching a better paradigm for the identification and remediation of security bugs by a broad community that is properly incentivized.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/197/23637#23637