| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 25 Apr 2012 10:21:52 +0300 From: Georgi Guninski <guninski@...inski.com> To: Charles Morris <cmorris@...odu.edu> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, Jim Harrison <Jim@...tools.org> Subject: Re: We're now paying up to $20, 000 for web vulns in our services On Tue, Apr 24, 2012 at 11:28:29AM -0400, Charles Morris wrote: > On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski <lcamtuf@...edump.cx> wrote: > >> IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest "researcher" through secondary discovery > > > > I'm not sure I follow. Are you saying that the dishonest researcher > > will not try to find vulnerabilities if there is no reward program for > > the honest ones? > > > > /mz > > > > I'm not sure what he means either, however I know that many > organizations treat security patches to the same lifecycle as > features, > which means sometimes upwards of a year of testing- thus giving a huge > window for secondary discovery; whereas a vuln exploited in-the-wild > generally has a much faster patch. Still I'm not sure how this fact is > relevant, if it is at all. Perhaps if the adversary sees the vuln in > unencrypted email > between researcher and organization and then uses it silently making > sure not to alert anyone? Not sure, but I digress. > > I don't know who believes that they are "owed" anything in this > manner, and I agree with you, Jim, on that point. > > However, my main complaint is that businesses should either not pay > anything at all (perhaps 1$ as a token of gratitude, some swag or some > such), > or at least make a real effort. Finding a code execution vuln in > google's whatever app-of-the-day is non-trivial task that requires > researchers > to learn a completely new landscape. I would expect Google, of all > "people", to pay 10x to 100x this amount for this sort of thing.. > A you-only-get-it-when-successful 20,000$ budget from Google is > insulting, considering the perhaps massive time investment from the > researcher. > > There is zero ability to make an argument that such businesses "can't > realistically outcompete all buyers of weaponized exploits" as Michal > has done [ :'( ]. > The huge amount of damage that a badguy code executing on google > wallet would cost far more than 2M in damages, repair work, lost > business, and penalties; > and yet they only pay a nice researcher 20 grand? You can't even live > on that. Researchers aren't just kids with no responsibilities, they > have mortgages and families. > > Increase the payouts and you not only get good guys doing good things > but you also get bad guys doing good things (even if for the wrong > reasons). > > n.b. The fact that badguys take risk when doing their badguy > activities, including selling exploits, makes it even easier to > outcompete the buyers. > > Still, this is a huge improvement on what it was if memory serves. A > million thanks to Michal ! > I suppose if they get hit by malware the size of m$ they will adjust the numbers. Maybe time will tell. -- Georgi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists