Bugtraq mailing list archives
FYI: We're now paying up to $20,000 for web vulns in our services
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 23 Apr 2012 12:05:43 -0700
Hey, Hopefully this won't offend the moderators: http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html I suspect I know how the debate will be shaped - and I think I can offer a personal insight. I helped shape our vulnerability reward program from the start (November 2010), and I was surprised to see that simply having an honest, no-nonsense, and highly responsive process like this... well, it works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards. This puts an interesting spin on the conundrum of the black / gray market vulnerability trade: you can't realistically outcompete all buyers of weaponized exploits, but you can make the issue a lot less relevant. By having several orders of magnitude more people reporting bugs through a "white hat" channel, you are probably making "underground" vulnerabilities a lot harder to find, and fairly short-lived. Cheers, /mz
Current thread:
- FYI: We're now paying up to $20,000 for web vulns in our services Michal Zalewski (Apr 23)
- RE: We're now paying up to $20,000 for web vulns in our services Jim Harrison (Apr 25)
- Re: We're now paying up to $20,000 for web vulns in our services Michal Zalewski (Apr 25)
- Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services Charles Morris (Apr 25)
- Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 25)
- Re: We're now paying up to $20,000 for web vulns in our services Michal Zalewski (Apr 25)
- RE: We're now paying up to $20,000 for web vulns in our services Jim Harrison (Apr 25)