Vulnerability Development mailing list archives
RE: 0-day exploit..do i hear $1000?
From: Rebecca Kastl <rkastl () neohapsis com>
Date: Thu, 18 Oct 2001 19:44:10 -0500 (CDT)
On Thu, 18 Oct 2001, Don Weber wrote:
after reading the "0-day exploit..do i hear $1000?", I would tend to think it would be reasonable for at least the major vendors to give rewards for people finding vulnerabilities in a product, considering, those same vendors have spent lots of money alpha/bet testing the product, still not finding the same vuln's...
This reminds me of a joke I heard years ago about software company x offering QA testers a cash bonus for bugs found. There was suddenly a huge underground market fueled by a large increase in bugs. I think that specifically dealing with exploits and the like, this is an area that is working just fine (given the circumstances and the nature of the business). I personally find RFP's approach (and many others) to be exceedingly appropriate. As soon as $$ is introduced into the mix, many aspects of security and disclosure suddenly become extremely suspect. Do we trust MS to fully disclose all of their security issues? Nope. Why would somebody off in a dark corner of the world coding for cash necessarily make me feel more secure? I'm not trying to take any potshots here, I'm just throwing out some legitimate concerns. --Rebecca Kastl
Current thread:
- RE: 0-day exploit..do i hear $1000?, (continued)
- Message not available
- RE: 0-day exploit..do i hear $1000? Scoubidou (Oct 18)
- Re: 0-day exploit..do i hear $1000? Joe G. (Oct 18)
- RE: 0-day exploit..do i hear $1000? Ron DuFresne (Oct 18)
- Message not available
- Re: 0-day exploit..do i hear $1000? dullien (Oct 19)
- Re: 0-day exploit..do i hear $1000? rain forest puppy (Oct 18)
- Re: 0-day exploit..do i hear $1000? RT (Oct 18)
- RE: 0-day exploit..do i hear $1000? Steve (Oct 18)
- RE: 0-day exploit..do i hear $1000? (a net admins 2 cents) leon (Oct 20)
- Re: 0-day exploit..do i hear $1000? security curmudgeon (Oct 20)
- Re: 0-day exploit..do i hear $1000? bacano (Oct 21)
- Re: 0-day exploit..do i hear $1000? RT (Oct 18)
- Re: 0-day exploit..do i hear $1000? foob (Oct 19)
- Re: 0-day exploit..do i hear $1000? Jose Nazario (Oct 19)
- Re: 0-day exploit..do i hear $1000? H C (Oct 19)
- Re: 0-day exploit..do i hear $1000? Thiago Conde Figueiro (Oct 19)
- Re: 0-day exploit..do i hear $1000? Pedro Miller Rabinovitch (Oct 19)
- Re: 0-day exploit..do i hear $1000? foob (Oct 20)
- Re: 0-day exploit..do i hear $1000? H C (Oct 20)