Proposed: a Bounty for Bugs

Proposed: a Bounty for Bugs
Mark Rasch, 2003-11-10

Instead of paying hard cash to punish computer criminals, vendors should reward grey hat hackers for responsibly finding and reporting the security holes that make cyber attacks possible.

Expand all | Post comment

Proposed: a Bounty for Bugs 2003-11-10
researcher

Proposed: a Bounty for Bugs 2003-11-11
Anonymous (1 replies)

Proposed: a Bounty for Bugs 2003-11-13
Mark Rasch

The problem is not getting grey hats to contribute, it is getting companies to be responsible for responding. Sure, most of the vulnerabilities are known, and you need good rules to define when someone gets a bounty. Also, the system should allow for simple "credit" or even just compensation for costs and expenses for those who are, shall we say, lighter shades of grey. Of course the vendors and users will claim that they knew about the problem all along -- but this is also partially a PR thing for them as well.

Who knows... it's at least worth exploring. I am contantly asked by grey hats "how do I tell xxxx about this vulnerability?" We need an effective mechanism.

MDR

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/197/23666#23666

Proposed: a Bounty for Bugs 2003-11-11
Psuedo-Anonymous Coward (1 replies)

Proposed: a Bounty for Bugs 2003-11-19
Anonymous

Proposed: a Bounty for Bugs 2003-11-11
Anonymous (1 replies)

Proposed: a Bounty for Bugs 2003-11-13
Anonymous

Proposed: a Bounty for Bugs 2003-11-11
agent1

Proposed: a Bounty for Bugs 2003-11-11
Ragnarok

Proposed: a Bounty for Bugs 2003-11-11
Theuns

Proposed: a Bounty for Bugs 2003-11-11
frustrated security dweeb

Proposed: a Bounty for Bugs 2003-11-12
Bob Weiss - Passsword Crackers, Inc.

Proposed: a Bounty for Bugs 2003-11-12
Lockdown

Proposed: a Bounty for Bugs 2003-11-12
Anonymous

Proposed: a Bounty for Bugs: A Notoriously Bad Idea 2003-11-12
Michael Sierchio (1 replies)