, 2003-11-10
Instead of paying hard cash to punish computer criminals, vendors should reward grey hat hackers for responsibly finding and reporting the security holes that make cyber attacks possible.
Expand all |
Post comment
Proposed: a Bounty for Bugs: A Notoriously Bad Idea
2003-11-12
Michael Sierchio (1 replies)
Michael Sierchio (1 replies)
- Opensource
When the next BIND/OpenSSH/etc bug is found, who is going to pay up? In effect you'll be making it more worthwhile to rip into Windows than concentrate on the broad spectrum of software
- Penalties for Vendors
If the vendor does not issue an effective patch first time around (as MS have done in the past) or do not issue a patch in a timely manner they should pay a "fine" for remaining on the scheme. Perhaps this could fund payouts for OpenSource bugs?
- Severity
Who decides what is severe? According to MS the recent RPC flaws are not serious as long, according to Gates, as people have firewalls in place. Are we really saying that letting vendors rate their own vulns. that they are going to be honest?
Still, MS' bounty scheme demonstrates again that they just don't "get it" - thinking like this is good. Kudos for trying to think differently.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/197/23663#23663