RE: M$ puts bounty out for Blaster and Sobig culprits

["Jerry Heidtke" <jheidtke () fmlh edu>]

> Maybe M$ should put out a bounty for reporting bugs in their
> crappy software without going public instead.  That might be
> more effective.

Where would the benefit to anyone be from that? The person reporting the
bug may get a little money, at the cost of never mentioning it to anyone
else. Do you think MS would fix a bug that wasn't going to be publicly
disclosed?

Bounties for reporting bugs can be a good thing. With MS, it would just
be hush money.

Scenarios as I see them:

1. Person reports bug to MS, person voluntarily doesn't publicly
disclose, MS doesn't fix bug.

2. Person reports bug to MS, person gets paid not to publicly disclose,
MS doesn't fix bug.

3. Person reports bug to MS, person later publicly discloses, MS may or
may not fix bug.

4. Person doesn't report bug to MS first, person publicly discloses bug,
MS may or may not fix bug.

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html