Full Disclosure mailing list archives
Re: Google open redirect
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 8 Dec 2011 09:18:39 -0800
Granted, but I know that vulnerability research can take a huge chunk of time out of a person's life, and without getting in to "monetary philosophy", I feel that in our current system, a person should be compensated for their time if they've done something useful for society.
Is this an existential discussion now?:-) As the world is structured today, you are not automatically entitled to compensation because you are doing something that, in your opinion, helps the world. That said, you can often find other people who share your sentiment, and are willing to support your cause. As it happens, Google has a vulnerability reward programs that rewards the effort of external security researchers with rewards typically ranging from $500 to $3133.7 per bug. There are contributors earning a decent living off of this program alone. You may view it cynically, but the reason for having it isn't to suppress non-compliant disclosure, but just to make the Internet a safer place - and to compensate people in function of the difficulty of finding a flaw, and the utility of that finding. The problem resulted in a *huge* spike of privately reported vulnerabilities that nobody would be even bothered to try to find before, and hasn't really affected the number of public disclosures much. If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. /mz PS. I'm speaking on my own behalf, and trying to be as open as possible, so let's not make it overly political. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google open redirect, (continued)
- Re: Google open redirect Tavis Ormandy (Dec 13)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Benji (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Benji (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)
- Re: Google open redirect Charles Morris (Dec 08)
- Re: Google open redirect Michal Zalewski (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)
- Re: Google open redirect Valdis . Kletnieks (Dec 08)
- Re: Google open redirect Gage Bystrom (Dec 08)
- Re: Google open redirect Pablo Ximenes (Dec 08)
- Re: Google open redirect Valdis . Kletnieks (Dec 08)
- Re: Google open redirect secure poon (Dec 08)