Re: Vulnerabilities Market

[Shane <shane () security-objectives com>]

I would love to see a non-profit initiative.

Crediting those who donate vuln/exploit information with tax deductible
receipts.  Maybe then we would see some real ROI for the research/work
put into these things.

Let's just call it the CSBS (computer security benevolence society:)?

The BS could liaison with CERT, hopefully reducing the overall level of ER.

The benefactor can put a suggested price, including justification (not
just the perceived market value, but also the value to the industry at
large).

How about also donating techniques?  Sock-re-use shellcode or Heap foo
"products" would be nice.

I understand the want of "just getting the $", but this is really a
no-win situation.  Their's _ALWAYS_ losers in that game, I do not know a
single vuln-shyster who uses an escrow (Not too many other ways to avoid
being held over the barrel here). I could really go on here, please,
nobody try to claim that you can have a win-win in this model, it's not
happening today.  What is the norm is rampaent frustration by the
researcher and also the buyers I'm quite sure of this.

The CSBS would also drive the mean price up/into reality.  If you do not
get at least 50% what it is worth, simply donate to the CSBS for the
write off.

Giving some other intensive to researchers in this area seems to be a
logical step towards maturity (market maturity). Let's all grow up (grow
= make market bigger)!
Shane


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave