Full Disclosure mailing list archives
FYI: We're now paying up to $20, 000 for web vulns in our services
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 23 Apr 2012 12:05:43 -0700
Hey, Hopefully this won't offend the moderators: http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html I suspect I know how the debate will be shaped - and I think I can offer a personal insight. I helped shape our vulnerability reward program from the start (November 2010), and I was surprised to see that simply having an honest, no-nonsense, and highly responsive process like this... well, it works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards. This puts an interesting spin on the conundrum of the black / gray market vulnerability trade: you can't realistically outcompete all buyers of weaponized exploits, but you can make the issue a lot less relevant. By having several orders of magnitude more people reporting bugs through a "white hat" channel, you are probably making "underground" vulnerabilities a lot harder to find, and fairly short-lived. Cheers, /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FYI: We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 23)
- Re: We're now paying up to $20, 000 for web vulns in our services Jim Harrison (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Charles Morris (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Bob McConnell (Apr 27)
- Re: We're now paying up to $20, 000 for web vulns in our services Jim Harrison (Apr 26)
- Re: We're now paying up to $20, 000 for web vulns in our services Charlie Derr (Apr 27)
- Re: We're now paying up to $20, 000 for web vulns in our services Michal Zalewski (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Georgi Guninski (Apr 25)
- Re: We're now paying up to $20, 000 for web vulns in our services Jim Harrison (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Ramon de C Valle (Apr 24)
- Re: We're now paying up to $20, 000 for web vulns in our services Jim Harrison (Apr 25)