Full Disclosure mailing list archives
RE: M$ puts bounty out for Blaster and Sobig culprits
From: Vic Vandal <vvandal () well com>
Date: Wed, 5 Nov 2003 10:30:30 -0800 (PST)
In all fairness, you forgot at least one possible scenario in your rebuttal: 5. If one person found a flaw, logic and common sense dictates that others could and would eventually find the same flaw. Hopefully by that time M$ (or any other software vendor) would have done the smart/right thing and issued a patch or service pack to address the flaw (whether or not anyone actually applied the patch is another story). At least under that scenario the likelihood of a zero-day exploit is reduced. Therefore my point stands, although I didn't put more than a moments thought into it before spewing it out. It was almost meant in gest, and I never indicated it was an absolute solution (note the words "maybe" and "might" clearly included). Anyway, my main contribution there was the article, strictly for informational sake. When I try to solve the InfoSec problems of the world, I'll be a lot more thorough about it. Peace, Vic On Wed, 5 Nov 2003, Jerry Heidtke wrote:
Maybe M$ should put out a bounty for reporting bugs in their crappy software without going public instead. That might be more effective.Where would the benefit to anyone be from that? The person reporting the bug may get a little money, at the cost of never mentioning it to anyone else. Do you think MS would fix a bug that wasn't going to be publicly disclosed? Bounties for reporting bugs can be a good thing. With MS, it would just be hush money. Scenarios as I see them: 1. Person reports bug to MS, person voluntarily doesn't publicly disclose, MS doesn't fix bug. 2. Person reports bug to MS, person gets paid not to publicly disclose, MS doesn't fix bug. 3. Person reports bug to MS, person later publicly discloses, MS may or may not fix bug. 4. Person doesn't report bug to MS first, person publicly discloses bug, MS may or may not fix bug. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- M$ puts bounty out for Blaster and Sobig culprits Vic Vandal (Nov 05)
- RE: M$ puts bounty out for Blaster and Sobig culprits Robert Davies (Nov 05)
- Re: M$ puts bounty out for Blaster and Sobig culprits Dave Howe (Nov 05)
- Re: M$ puts bounty out for Blaster and Sobig culprits Dan Wilder (Nov 05)
- Re: M$ puts bounty out for Blaster and Sobig culprits Eric Bowser (Nov 05)
- Re: M$ puts bounty out for Blaster and Sobig culprits Patrick Dolan (Nov 05)
- Re: M$ puts bounty out for Blaster and Sobigculprits Corey Hart (Nov 05)
- Re: M$ puts bounty out for Blaster and Sobigculprits Eric Bowser (Nov 05)
- Re: M$ puts bounty out for Blaster and Sobig culprits Scott Taylor (Nov 05)
- <Possible follow-ups>
- RE: M$ puts bounty out for Blaster and Sobig culprits Jerry Heidtke (Nov 05)
- RE: M$ puts bounty out for Blaster and Sobig culprits Vic Vandal (Nov 05)
- RE: M$ puts bounty out for Blaster and Sobig culprits Robert Davies (Nov 05)