>Back in 1999 I challenged the hacker community to >put their money where their mouth(s) was and if >they really wanted to make the Internet more >secure they should try to arrange to go up to >Microsoft for a few months, sign their NDA, and >do a no-holds-barred code-review of IIS.

>But that wouldn't be fun, would it? The hackers >want the power of ultimate self-determination, >and none of the responsibility. Unfortunately, >things don't work that way for very long.

I don't know about fun, but MSFT pays or used to pay @tstake, Foundstone, Core, Ernst and Young, and many other computer security consulting companies to review IIS among other things.

I'm not sure if its to better their security or buy their silence. I'm sure they all had to sign NDA's. Why publish an IIS hole when MSFT will pay $100's of thousands of dollars for you to find it and silently fix it?

Is that better for the community at large? What about the software companies that can't pay for the fansy "hackers"? Maybe they have security vulnerabilities that only the NSA and the hackers employed by the Chinese government know.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/334/32078#32078