lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 24 Apr 2012 11:28:29 -0400
From: Charles Morris <cmorris@...odu.edu>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: Jim Harrison <Jim@...tools.org>,
  dailydave <dailydave@...ts.immunityinc.com>,
  "websecurity@...ts.webappsec.org" <websecurity@...ts.webappsec.org>,
  full-disclosure <full-disclosure@...ts.grok.org.uk>,
  bugtraq <bugtraq@...urityfocus.com>
Subject: Re: [Full-disclosure] We're now paying up to $20, 000 for web vulns
 in our services

On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski <lcamtuf@...edump.cx> wrote:
>> IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest "researcher" through secondary discovery
>
> I'm not sure I follow. Are you saying that the dishonest researcher
> will not try to find vulnerabilities if there is no reward program for
> the honest ones?
>
> /mz
>

I'm not sure what he means either, however I know that many
organizations treat security patches to the same lifecycle as
features,
which means sometimes upwards of a year of testing- thus giving a huge
window for secondary discovery; whereas a vuln exploited in-the-wild
generally has a much faster patch. Still I'm not sure how this fact is
relevant, if it is at all. Perhaps if the adversary sees the vuln in
unencrypted email
between researcher and organization and then uses it silently making
sure not to alert anyone? Not sure, but I digress.

I don't know who believes that they are "owed" anything in this
manner, and I agree with you, Jim, on that point.

However, my main complaint is that businesses should either not pay
anything at all (perhaps 1$ as a token of gratitude, some swag or some
such),
or at least make a real effort. Finding a code execution vuln in
google's whatever app-of-the-day is non-trivial task that requires
researchers
to learn a completely new landscape. I would expect Google, of all
"people", to pay 10x to 100x this amount for this sort of thing..
A you-only-get-it-when-successful 20,000$ budget from Google is
insulting, considering the perhaps massive time investment from the
researcher.

There is zero ability to make an argument that such businesses "can't
realistically outcompete all buyers of weaponized exploits" as Michal
has done [ :'( ].
The huge amount of damage that a badguy code executing on google
wallet would cost far more than 2M in damages, repair work, lost
business, and penalties;
and yet they only pay a nice researcher 20 grand? You can't even live
on that. Researchers aren't just kids with no responsibilities, they
have mortgages and families.

Increase the payouts and you not only get good guys doing good things
but you also get bad guys doing good things (even if for the wrong
reasons).

n.b. The fact that badguys take risk when doing their badguy
activities, including selling exploits, makes it even easier to
outcompete the buyers.

Still, this is a huge improvement on what it was if memory serves. A
million thanks to Michal !

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ