Vulnerability Development mailing list archives

Re: 0-day exploit..do i hear $1000?

From: dullien () gmx de
Date: Fri, 19 Oct 2001 08:19:28 -0700

Hey all,

Something that should really be considered is that people finding bugs in
products do unpaid quality assurance for vendors. If that person doing
this research is not part of a company he doesn't benefit from
publishing his work at all - especially if he doesn't intend on being
hired by one in the near future either. Therefore he has no reason to
publish anything.

Most people looking for bugs these days are not regular customers of
the software they're looking at, therefore having the bug fixed is not
in their interest either as it would be for someone actually using the
product.

From this angle it would be sound & fair for large (especially

security-conscious) coorporations to put up a 'reward' for serious
security vulnerabilities (in their products)being reported to them.

I can understand the anger of certain exploit authors - they sit in
their rooms, have published exploits, and now some guy who is using
the exploits as a pen-tester makes money off them without the original
author ever having seen a dime - noone can claim that this is fair.

A fundamental question to be raised here is that of intellectual
property for bugs - as the author of software can hardly be considered
the copyright holder for any bugs he has inserted one should perhabs
consider if the person who first detects the bug holds intellectual
ownership of it and can thus prevent people who are not licensed to
use it from using it.

This is very dangerous as it would legitimate software patents as
well, but then again, software patents seem to be acceptable behaviour
in the less civilized parts of this planet.

A completely different issue here would be bug classes: Suppose
something like a new 'format string bug'-class is around with the
property of making 50% of the existing systems insecure, could I as
the 'inventor' of this bug class try to patent it ?
Would that make everyone who is trying to use a bug of that class
suspectible to paying me licensing fees ? I can see the pen-testing
business turn a lot towards being less profitable...

So, who owns the bug if it is discovered ? Why shouldn't trading bugs
(even for money) be regarded as fair ?

I know the implications. We'd all land in jail very quickly ;)

Cheers,
dullien () gmx de
-- 
Mit freundlichen Grüssen
dullien () gmx de                            mailto:dullien () gmx de

Current thread:

0-day exploit..do i hear $1000? RT (Oct 18)
- Re: 0-day exploit..do i hear $1000? Jonathan M. Smith (Oct 18)
- Re: 0-day exploit..do i hear $1000? Fyodor (Oct 18)
- Message not available
  - RE: 0-day exploit..do i hear $1000? Scoubidou (Oct 18)
    - Re: 0-day exploit..do i hear $1000? Joe G. (Oct 18)
    - RE: 0-day exploit..do i hear $1000? Ron DuFresne (Oct 18)
- Re: 0-day exploit..do i hear $1000? dullien (Oct 19)
- <Possible follow-ups>
- Re: 0-day exploit..do i hear $1000? rain forest puppy (Oct 18)
  - Re: 0-day exploit..do i hear $1000? RT (Oct 18)
    - RE: 0-day exploit..do i hear $1000? Steve (Oct 18)
    - RE: 0-day exploit..do i hear $1000? (a net admins 2 cents) leon (Oct 20)
    - Re: 0-day exploit..do i hear $1000? security curmudgeon (Oct 20)
    - Re: 0-day exploit..do i hear $1000? bacano (Oct 21)
- RE: 0-day exploit..do i hear $1000? Rebecca Kastl (Oct 18)
  - Re: 0-day exploit..do i hear $1000? foob (Oct 19)
    - Re: 0-day exploit..do i hear $1000? Jose Nazario (Oct 19)
    - Re: 0-day exploit..do i hear $1000? H C (Oct 19)

(Thread continues...)