Dailydave mailing list archives
Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder
From: <halvar () gmx de>
Date: Sun, 13 Mar 2005 08:37:20 -0800
Hey all,First of all, Drew Copley is in the process of creating brand-name-recognition for
Immunity in a major and very cheap way :-)Second of all, there is nothing that prevents security vendors from signing up to a vulnerability sharing club and fix the bugs, which they would do anyhow if they
had any incentive to produce secure software.The point is that they have very little incentive to do so. They are liability-free when customers get massive worm infections, and they get the "QA" done for free by the security community. Anybody that expects to be paid retrospectively for finding bugs is labeled as "unethical". If you play nice, the software vendor might be nice to you and
put your name onto an advisory.There needs to be some way to create economic incentive for software vendors to fix bugs before the product is delivered and installed, and there are really just two choices:
1. Hold software vendors liable for damages incurred from intrusions 2. Create a market for vulnerabilitiesIn the first case, vendors will have to purchase insurance for their software, which will be a lot more expensive for widely used software than for niche products. The insurances will get richer. The closed source vendors would have a good argument why customers should choose closed versus open source, too: For OSS, there would be nobody to sue.
The second case is what is (to an extent, and perhabs not in the most optimal way) VSC does: MS would have an incentive to spend the membership fee to learn about bugs early, and the money that MS pays could be used to make it more attractive to give up the exploits to the vendor. If the vendor decides he doesn't care (which would be a viable position to take
if he is very certain of his code quality) then he does not need to sign up.So whenever you hear somebody accuse somebody else of being "unethical" for creating a
market for vulnerabilities, ask them: Market or liability ?If they cannot propose a solution at making software vendors bear the cost for building vulnerable
software, they shouldn't be talking ethics. Keeping the cost of broken code at the customer's side is what is wrong. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Fwd: [ISN] Security experts hit out at "unethical" bug finder Anthony Zboralski (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder H D Moore (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Isaac Dawson (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Jan Muenther (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Gadi Evron (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Gadi Evron (Mar 14)