RE: Lap Dances for All

[surreal () delusory org]

> -------- Original Message --------
> Subject: RE: [Dailydave] Lap Dances for All
> From: "Chris Wysopal" <weld () vulnwatch org>
> Date: Thu, March 03, 2005 12:40 pm
> To: surreal () delusory org
> Cc: dailydave () lists immunitysec com
>
> On Thu, 3 Mar 2005 surreal () delusory org wrote:
>
> > Does the NDA, or anything other than pride, prevent Microsoft from
> > joining the VSC and addressing these "tactical nukes" as they're
> > deployed? If so, it would be magnanimous to offer MS a special license
> > at a reasonable price ($300K too cheap?) that would allow them to share
> > the vulnerabilities internally and address them.
>
> I imagine that Microsoft doesn't want to join a VSC to get vulnerability
> information as that would set a precedent with the ultimate result being
> 200 VSCs, each with one researcher contributing and charging ever higher
> membership fees.
>
> -Chris

I heard that MS was friendly with one security outfit for awhile... 

If a vendor is one of "few" entities willing to pay big bucks for vulns,
they're in a good position to negotiate. Pay enough to keep researchers
loyal to them (ie, not pimping their vulns for a quick hundred) and
everyone wins.

If high-value VSCs emerge and vendors join them, they've effectively
outsourced/offshored some QA work. How many hotshot vulnerability
analysts can anyone hire for $100K a year? They might eventually say
"trustworthy computing" and not have people snicker at them. 

<don tinfoil hat>
Of course, nobody's actually said that MS isn't a member. "someone"
might be under a contractual obligation to disavow any relationship. He
might even have a remotely-triggerable...  Has anyone _watched_ Dave go
through airport security lately?
</hat>

Surreal

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave