, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Expand all |
Post comment
The value of vulnerabilities
2006-03-08
Omar A. Herrera (2 replies)
Omar A. Herrera (2 replies)
Re:Good Points
2006-03-08
R_U_Trustified (2 replies)
R_U_Trustified (2 replies)
Re: Re:Good Points
2006-03-09
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
Re: Re: Re:Good Points
2006-03-14
Robert E. Lee (1 replies)
Robert E. Lee (1 replies)
Finding exploits = time = money
For commercial applications there is no free lunch. I still have to see some commercial application developer come and give me a free unlimited copy of his product. So please give me a valid reason to pass free information to someone who will profit directly from my effort.
Here is what most "responsible" researchers do:
1 ) Find a vulnerability
2 ) Contact vendor
3 ) vendor patches
4 ) vendor profits
5 ) ??? profit for researcher ??? --> none
Here is how it should be (model 1):
1 ) Find bug
2 ) Contact vendor
3 ) vendor pays
4 ) vendor patches
5 ) everyone profits
6 ) vulnerability report gets disclosed or not, depending on the agreement reached with the vendor.
In case of step #3 of model #1 fails then the procedure should become this way:
1 ) Find vulnerability
2 ) Sell vulnerability information to the best bidder (if vendor did not care about his customers security why should you do?)
3 ) Profit for your time and effort.
4 ) You may contact vendor if you want. I personally would not waste my time doing that if method #1 has failed.
This model works perfectly. After all, if the vendor profits you should also get the money from your effort.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/391/33278#33278