Dailydave mailing list archives
Re: No more free bugs (and WOOT)
From: Joanna Rutkowska <joanna () invisiblethingslab com>
Date: Wed, 08 Apr 2009 20:44:16 +0200
Charles Miller wrote:
At this point I'm not even concerned with making "reasonable" money. I'd be happy with researchers getting any money.
Oh?!
(I know there are stopgap solutions like ZDI which is great, but buying bugs is not really their core business) I'd love to see what would happen if nobody reported any bugs for a year. Would the vendors start paying?
I see no incentive on their side.
Would they even care?
Why would they? Of course, if we assumed that half of those researchers, who stopped notifying vendors, went underground (I mean commercialized cyber-crime here), then maybe *some* vendors (e.g. A/V) would be willing to hire more analysts. Of course, the AV would love the whole situation with more cyber-criminals all around (hush!). In fact, those few researchers that didn't go underground, would love the situation too (more jobs offerings). But the whole point of this initiative, AFAIU, is to find out a *legal* way of making money on bugs.
I don't have the solution, I just know nothing will ever change if the status quo remains. The only thing we can do is stop giving away our work and see what happens.
And who said, we're giving it away for *free*? Some of us gets recognition for our research and *legit* consulting/research jobs in return. We show our skills, we get a job -- this is how it has worked for many years. Also, maybe finding the n-th QuickTime or Acrobat bug isn't really worth that much as some of us would like to think (based on what we hear the underground pays)? While I can totally appreciate and admire a well written exploit, this is more of an art, rather than something of an utmost importance for the industry. I mean... what really does this n-th bug for Acrobat (or even exploit) changes? Proves anything? Maybe such things aren't simply worth that much in the *legit* world?
I think the ideal solution would be all the big vendors would have to contribute to some fund (held at CERT or something) which could be used to pay independent researchers who find and report bugs.
That smells communism to me ;) Not that I remember much of those times myself, but anyway ;) joanna.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- No more free bugs (and WOOT) Charles Miller (Apr 08)
- Re: No more free bugs (and WOOT) Joanna Rutkowska (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) Joanna Rutkowska (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) sinan . eren (Apr 09)
- Re: No more free bugs (and WOOT) Julien TINNES (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) Julien TINNES (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) Charles Miller (Apr 09)
- Re: No more free bugs (and WOOT) Joanna Rutkowska (Apr 09)
- Re: No more free bugs (and WOOT) Professor 0110 (Apr 09)
- OWASP Podcast w/ Dave Jim Manico (Apr 10)
- Re: No more free bugs (and WOOT) Sebastian Krahmer (Apr 09)
- Re: No more free bugs (and WOOT) Matthieu Suiche (Apr 09)