Dailydave mailing list archives
Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder
From: Chris Wysopal <weld () vulnwatch org>
Date: Mon, 14 Mar 2005 12:46:45 -0500 (EST)
On Sun, 13 Mar 2005 halvar () gmx de wrote:
There needs to be some way to create economic incentive for software vendors to fix bugs before the product is delivered and installed, and there are really just two choices: 1. Hold software vendors liable for damages incurred from intrusions 2. Create a market for vulnerabilities
I would agrue that there always has been a market for vulnerabilities. Bug finders gain PR for their advisories that translates to real business value: @stake, Foundstone, etc. Still this is low value but it does still effect vendor behavior. Then there are higher value vulnerability clubs, CERT, ISS, DigitalDefense. These may effect vendor behavior more. The Immunity VSC may have even higher value since vendors are not automatically informed. This should effect vendor behavior. I don't think it is a simple as "create a market" and "effect vendor behavior". Its the details that matter. Is the detail of not automatically informing vendor one that is necessary for the market to be economical to the broker? Is is a requirement to modify vendor behavior? Are their downsides to this that preclude this type of market from taking off and really effecting the industry? -Chris _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Fwd: [ISN] Security experts hit out at "unethical" bug finder Anthony Zboralski (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder H D Moore (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Isaac Dawson (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Chris Wysopal (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder halvar (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Jan Muenther (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Gadi Evron (Mar 14)
- Re: Fwd: [ISN] Security experts hit out at "unethical" bugfinder Gadi Evron (Mar 14)