lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Dec 2011 09:18:39 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: Charles Morris <cmorris@...odu.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect

> Granted, but I know that vulnerability research can take a huge chunk
> of time out of a person's life, and without getting in to "monetary philosophy",
> I feel that in our current system, a person should be compensated for their
> time if they've done something useful for society.

Is this an existential discussion now?:-)

As the world is structured today, you are not automatically entitled
to compensation because you are doing something that, in your opinion,
helps the world. That said, you can often find other people who share
your sentiment, and are willing to support your cause.

As it happens, Google has a vulnerability reward programs that rewards
the effort of external security researchers with rewards typically
ranging from $500 to $3133.7 per bug. There are contributors earning a
decent living off of this program alone. You may view it cynically,
but the reason for having it isn't to suppress non-compliant
disclosure, but just to make the Internet a safer place - and to
compensate people in function of the difficulty of finding a flaw, and
the utility of that finding. The problem resulted in a *huge* spike of
privately reported vulnerabilities that nobody would be even bothered
to try to find before, and hasn't really affected the number of public
disclosures much.

If you don't like it, let us know how to improve it. You also always
have the option of not researching vulnerabilities in these platforms;
going with the full-disclosure approach; or selling the flaws to a
willing third party.

/mz

PS. I'm speaking on my own behalf, and trying to be as open as
possible, so let's not make it overly political.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists