RE: 0-day exploit..do i hear $1000?

[Scoubidou <scoubi-bugtraq () altern org>]

At 11:28 AM 10/18/01 -0700, Don Weber wrote:


> say 25000$ in a trust fund which has a panel of lets say 20 judges from the
> security industry, then after money is confirmed deposited to fund, hacker
> tells company what the problem is, company writes/releases patch, panel of
> Judges then read the reports on do whatever testing they themselves think
> necessary, and as a result vote on how much of the 25k is awarded to the

What about freeware? GPL? and other?
How those person are suppose to give 25k to a hacker?
Just think of OpenBSD or any other free OS. If you ever
find a security problem in OpenBSD I'm sure they'll be
happy to fix it quite quick. But I don't see how they'll be
able to pay you... I don't think seling OpenBSD and
OpenSSH t-shirts give them a lot of money.

Same thing with the people who write .cgi or other web
goodies. They do that in there spare time and share it
with the comunity to save you the time they took to
build their products. Still I realy don't understand how
those person would be able to pay you money for a bug.

Another thing is: Where they are suppose to find the money
to hire 20 judges?

For what I understand your mail was aiming mostly at M$.
I'm not a M$ fan, but I don't belive it will be faire that they
have to pay if other don't just beacause they have a more
money.

Just my .02¢