Full Disclosure mailing list archives
Vulnerability Purchasing Program Questions
From: "Steven Adair" <steven () securityzone org>
Date: Wed, 11 Apr 2007 11:59:47 -0500 (EST)
Greetings, I would like to see if I could get the community's take on these vulnerability purchasing programs such as those offered by iDefense and 3COM. There have been previous discussions that I have seen on the lists surrounding poor monetary offerings of one program versus that of another. I've also seen people come out and mention they are affiliated with some program that will offer money for these vulnerabilities. This has lead me to a few questions. - Is there a general consensus as to what program is the best? I would imagine this primarily centers on monetary offerings, but I suppose there could be other considerations. - If I normally work with vendors and disclosure vulnerabilities for free, why would I not use one of these programs? I am making the assumption that we are working with a legitimate and responsible buyer. I have no intentions to sell to shady buyers/foreign governments/etc and would like to keep the assumption the buyer is legitimate. - Do we know that the buyers are always legitimate and responsible? Has anyone ever suspected wrongdoing or felt they have been wronged by one of the more popular and "legitimate" buying services? For example, a submission that was rejected by either party ended up being released by the vendor anyway or integrated into their product. - Any general comments on these sort of programs that are strong towards one way or the other? Thanks, Steven securityzone.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerability Purchasing Program Questions Steven Adair (Apr 11)
- Re: Vulnerability Purchasing Program Questions Valdis . Kletnieks (Apr 11)
