Re: No more free bugs (and WOOT)

[Julien TINNES <jt () cr0 org>]

On Wed, Apr 08, 2009 at 11:17:29AM -0500, Charles Miller wrote:
> Hi everybody.
>
> You may have heard some about the No More Free Bugs campaign 
> (http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/ 
> )  Basically, it is the chance for researchers to unite to get paid  
> for the hard work we do.  As long as folks continue to give bugs to  
> companies for free, the companies will never appreciate (or reward)  
> the effort.  So I encourage you all to stop the insanity and stop  
> giving away your hard work.  If you believe in the No More Free Bugs  
> campaign, please include our logo (http://nomorefreebugs.org/logo.jpg)  
> on all of your presentations at security conferences.  I think it  
> would be really great if vendors sat through an entire conference and  
> every talk had this logo on it.  I'll definitely have it on my  
> BlackHat Europe slide deck next week.

Hi,

I don't understand the point of the campaign. Why are you trying to
convince people not to report bugs responsibly directly to vendors?
What harm would it do ?
I can understand the reasons for a researcher to sell bugs to ZDI or
iDefense, I cannot understand how it could benefit the general public
if all security researchers would do so.
Are you trying to make vulnerability selling a bigger market so that
prices go higher?

Please, sit on vulnerabilities for months if you think this is what good
security researchers do [1], sell your bugs if you want (and there is
certainly a lot of appeal to do so), but don't try to convince everyone
else this is the way things should work!

Or next year your opponent's efforts may not fall outside the pwn2own 
criteria and you may not win ;)

Julien

[1] http://www.securityfocus.com/news/11549
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave