On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski <lcam...@coredump.cx> wrote: >> IMHO, anyone who willingly, knowingly places customer data at risk by >> inviting attacks on their production systems is playing a very dangerous >> game. There is no guarantee that a vuln discovered by a truly honest >> researcher couldn't become a weapon for the dishonest "researcher" through >> secondary discovery > > I'm not sure I follow. Are you saying that the dishonest researcher > will not try to find vulnerabilities if there is no reward program for > the honest ones? > > /mz >
I'm not sure what he means either, however I know that many organizations treat security patches to the same lifecycle as features, which means sometimes upwards of a year of testing- thus giving a huge window for secondary discovery; whereas a vuln exploited in-the-wild generally has a much faster patch. Still I'm not sure how this fact is relevant, if it is at all. Perhaps if the adversary sees the vuln in unencrypted email between researcher and organization and then uses it silently making sure not to alert anyone? Not sure, but I digress. I don't know who believes that they are "owed" anything in this manner, and I agree with you, Jim, on that point. However, my main complaint is that businesses should either not pay anything at all (perhaps 1$ as a token of gratitude, some swag or some such), or at least make a real effort. Finding a code execution vuln in google's whatever app-of-the-day is non-trivial task that requires researchers to learn a completely new landscape. I would expect Google, of all "people", to pay 10x to 100x this amount for this sort of thing.. A you-only-get-it-when-successful 20,000$ budget from Google is insulting, considering the perhaps massive time investment from the researcher. There is zero ability to make an argument that such businesses "can't realistically outcompete all buyers of weaponized exploits" as Michal has done [ :'( ]. The huge amount of damage that a badguy code executing on google wallet would cost far more than 2M in damages, repair work, lost business, and penalties; and yet they only pay a nice researcher 20 grand? You can't even live on that. Researchers aren't just kids with no responsibilities, they have mortgages and families. Increase the payouts and you not only get good guys doing good things but you also get bad guys doing good things (even if for the wrong reasons). n.b. The fact that badguys take risk when doing their badguy activities, including selling exploits, makes it even easier to outcompete the buyers. Still, this is a huge improvement on what it was if memory serves. A million thanks to Michal ! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
