lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Dec 2011 09:18:39 -0800 From: Michal Zalewski <lcamtuf@...edump.cx> To: Charles Morris <cmorris@...odu.edu> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Google open redirect > Granted, but I know that vulnerability research can take a huge chunk > of time out of a person's life, and without getting in to "monetary philosophy", > I feel that in our current system, a person should be compensated for their > time if they've done something useful for society. Is this an existential discussion now?:-) As the world is structured today, you are not automatically entitled to compensation because you are doing something that, in your opinion, helps the world. That said, you can often find other people who share your sentiment, and are willing to support your cause. As it happens, Google has a vulnerability reward programs that rewards the effort of external security researchers with rewards typically ranging from $500 to $3133.7 per bug. There are contributors earning a decent living off of this program alone. You may view it cynically, but the reason for having it isn't to suppress non-compliant disclosure, but just to make the Internet a safer place - and to compensate people in function of the difficulty of finding a flaw, and the utility of that finding. The problem resulted in a *huge* spike of privately reported vulnerabilities that nobody would be even bothered to try to find before, and hasn't really affected the number of public disclosures much. If you don't like it, let us know how to improve it. You also always have the option of not researching vulnerabilities in these platforms; going with the full-disclosure approach; or selling the flaws to a willing third party. /mz PS. I'm speaking on my own behalf, and trying to be as open as possible, so let's not make it overly political. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists