Vulnerability Development mailing list archives
Re: 0-day exploit..do i hear $1000?
From: dullien () gmx de
Date: Fri, 19 Oct 2001 08:19:28 -0700
Hey all, Something that should really be considered is that people finding bugs in products do unpaid quality assurance for vendors. If that person doing this research is not part of a company he doesn't benefit from publishing his work at all - especially if he doesn't intend on being hired by one in the near future either. Therefore he has no reason to publish anything. Most people looking for bugs these days are not regular customers of the software they're looking at, therefore having the bug fixed is not in their interest either as it would be for someone actually using the product.
From this angle it would be sound & fair for large (especially
security-conscious) coorporations to put up a 'reward' for serious security vulnerabilities (in their products)being reported to them. I can understand the anger of certain exploit authors - they sit in their rooms, have published exploits, and now some guy who is using the exploits as a pen-tester makes money off them without the original author ever having seen a dime - noone can claim that this is fair. A fundamental question to be raised here is that of intellectual property for bugs - as the author of software can hardly be considered the copyright holder for any bugs he has inserted one should perhabs consider if the person who first detects the bug holds intellectual ownership of it and can thus prevent people who are not licensed to use it from using it. This is very dangerous as it would legitimate software patents as well, but then again, software patents seem to be acceptable behaviour in the less civilized parts of this planet. A completely different issue here would be bug classes: Suppose something like a new 'format string bug'-class is around with the property of making 50% of the existing systems insecure, could I as the 'inventor' of this bug class try to patent it ? Would that make everyone who is trying to use a bug of that class suspectible to paying me licensing fees ? I can see the pen-testing business turn a lot towards being less profitable... So, who owns the bug if it is discovered ? Why shouldn't trading bugs (even for money) be regarded as fair ? I know the implications. We'd all land in jail very quickly ;) Cheers, dullien () gmx de -- Mit freundlichen GrĂ¼ssen dullien () gmx de mailto:dullien () gmx de
Current thread:
- 0-day exploit..do i hear $1000? RT (Oct 18)
- Re: 0-day exploit..do i hear $1000? Jonathan M. Smith (Oct 18)
- Re: 0-day exploit..do i hear $1000? Fyodor (Oct 18)
- Message not available
- RE: 0-day exploit..do i hear $1000? Scoubidou (Oct 18)
- Re: 0-day exploit..do i hear $1000? Joe G. (Oct 18)
- RE: 0-day exploit..do i hear $1000? Ron DuFresne (Oct 18)
- RE: 0-day exploit..do i hear $1000? Scoubidou (Oct 18)
- Re: 0-day exploit..do i hear $1000? dullien (Oct 19)
- <Possible follow-ups>
- Re: 0-day exploit..do i hear $1000? rain forest puppy (Oct 18)
- Re: 0-day exploit..do i hear $1000? RT (Oct 18)
- RE: 0-day exploit..do i hear $1000? Steve (Oct 18)
- RE: 0-day exploit..do i hear $1000? (a net admins 2 cents) leon (Oct 20)
- Re: 0-day exploit..do i hear $1000? security curmudgeon (Oct 20)
- Re: 0-day exploit..do i hear $1000? bacano (Oct 21)
- Re: 0-day exploit..do i hear $1000? RT (Oct 18)
- Re: 0-day exploit..do i hear $1000? foob (Oct 19)
- Re: 0-day exploit..do i hear $1000? Jose Nazario (Oct 19)
- Re: 0-day exploit..do i hear $1000? H C (Oct 19)