Re: Lap Dances for All

[<halvar () gmx de>]

Hey all,

just to chip in a few cents:

Right now, there is no way for a customer to judge the security of a 
closed-source
software product, and thus we have a classical market failure where more 
secure
software is driven out of the market (as it is more expensive to build, thus 
more expensive
to sell and the customer will buy the cheaper product since he can't see the 
difference).

It is clear that we thus need to "link" the risk of widespread attacks using 
unknown
vulnerability back into the market. I see two avenues of doing this:

1. Make the software industry liable for damages from worms etc. --  
obviously, they
would have to buy insurance for this
2. Create a market for vulnerabilities where the folks that find bugs have a 
place to go
and get paid for their work

I seriously wonder which one of the above two options software vendors like 
better. And
the next time some vendor tries to tell you it is unethical to sell bugs, 
ask him which of the
two options he prefers.

Cheers,
Halvar 

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave