Re: Google open redirect

[Michal Zalewski <lcamtuf () coredump cx>]

> Granted, but I know that vulnerability research can take a huge chunk
> of time out of a person's life, and without getting in to "monetary philosophy",
> I feel that in our current system, a person should be compensated for their
> time if they've done something useful for society.

Is this an existential discussion now?:-)

As the world is structured today, you are not automatically entitled
to compensation because you are doing something that, in your opinion,
helps the world. That said, you can often find other people who share
your sentiment, and are willing to support your cause.

As it happens, Google has a vulnerability reward programs that rewards
the effort of external security researchers with rewards typically
ranging from $500 to $3133.7 per bug. There are contributors earning a
decent living off of this program alone. You may view it cynically,
but the reason for having it isn't to suppress non-compliant
disclosure, but just to make the Internet a safer place - and to
compensate people in function of the difficulty of finding a flaw, and
the utility of that finding. The problem resulted in a *huge* spike of
privately reported vulnerabilities that nobody would be even bothered
to try to find before, and hasn't really affected the number of public
disclosures much.

If you don't like it, let us know how to improve it. You also always
have the option of not researching vulnerabilities in these platforms;
going with the full-disclosure approach; or selling the flaws to a
willing third party.

/mz

PS. I'm speaking on my own behalf, and trying to be as open as
possible, so let's not make it overly political.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/