Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder

[Chris Wysopal <weld () vulnwatch org>]

On Sun, 13 Mar 2005 halvar () gmx de wrote:

> There needs to be some way to create economic incentive for software vendors
> to fix
> bugs before the product is delivered and installed, and there are really
> just two choices:
>     1. Hold software vendors liable for damages incurred from intrusions
>     2. Create a market for vulnerabilities

I would agrue that there always has been a market for vulnerabilities.
Bug finders gain PR for their advisories that translates to real business
value: @stake, Foundstone, etc.  Still this is low value but it does still
effect vendor behavior.  Then there are higher value vulnerability clubs,
CERT, ISS, DigitalDefense.  These may effect vendor behavior more.
The Immunity VSC may have even higher value since vendors are not
automatically informed.  This should effect vendor behavior.

I don't think it is a simple as "create a market" and "effect vendor
behavior".  Its the details that matter.  Is the detail of not
automatically informing vendor one that is necessary for the market to be
economical to the broker?  Is is a requirement to modify vendor behavior?
Are their downsides to this that preclude this type of market from taking
off and really effecting the industry?

-Chris
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave