Re: Right, or wrong?

[ireadit () gmail com]

On 8/7/07, Jared DeMott <demottja () msu edu> wrote:
> All:
>
> So, I've tried the vendor pay model for bug hunting and it wasn't always
> well received.  Apparently auction sites and 3 party purchasers are
> fine, but some folks don't like the idea of selling directly to the
> vendor.  I was thinking that this would be ideal since the vendor would
> have the most interest in knowing about/fixing the bug.  My question to
> the list is this:
> Is it morally right, wrong, don't know, don't care, good business, bad
> business, etc.?  Either way we're moving away from that model, but I was
> just curious how others on FD see it.



Security researchers deserve more than credit for their efforts, but the
software industry isn't there yet and may never be. We've got to find some
legitimate way to monetize security research or the only ones who get paid
for finding these flaws will be those working for organized crime or the
government.

Perhaps the information security field needs it's own Ralph Nader style
activist to write a book and start a campaign about how insecure most
software really is and how corporations have refused to adopt secure
software development methodologies in the interest of saving money and the
result is that we are more vulnerable than we ought to be.

Input validation saves lives. Is your software "unsafe at any speed?"

Keep up the good work Jared.

-- 
ireadit () gmail com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/