RE: 0-day exploit..do i hear $1000?

[Rebecca Kastl <rkastl () neohapsis com>]

On Thu, 18 Oct 2001, Don Weber wrote:

> after reading the "0-day exploit..do i hear $1000?", I would tend to think
> it would be reasonable for at least the major vendors to give rewards for
> people finding vulnerabilities in a product, considering, those same vendors
> have spent lots of money alpha/bet testing the product, still not finding
> the same vuln's...

This reminds me of a joke I heard years ago about software company x offering
QA testers a cash bonus for bugs found.  There was suddenly a huge underground
market fueled by a large increase in bugs.

I think that specifically dealing with exploits and the like, this is an area
that is working just fine (given the circumstances and the nature of the
business).  I personally find RFP's approach (and many others) to be
exceedingly appropriate.  As soon as $$ is introduced into the mix, many
aspects of security and disclosure suddenly become extremely suspect.

Do we trust MS to fully disclose all of their security issues?  Nope.  Why
would somebody off in a dark corner of the world coding for cash necessarily
make me feel more secure?

I'm not trying to take any potshots here, I'm just throwing out some
legitimate concerns.


--Rebecca Kastl