Michael, you're worried what might happen if somebody values the worth of not disclosing a vulnerability higher than the reward for disclosing it to the vendor. You see this as the major flaw in the scheme.

Explain to me please how this is different from the current situation where you get nothing for the discovery. If I follow your logic there would be no real reason to disclose the information because the discoverer gets nothing in return, except the credits. At least now when you get some cash in return, this might convince a cash starved grey hat that it is more sure and more profitable to report the bug than to steal a couple of creditcard numbers with the new found vulnerability.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/197/23664#23664