lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 25 Apr 2012 10:21:52 +0300
From: Georgi Guninski <guninski@...inski.com>
To: Charles Morris <cmorris@...odu.edu>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	Jim Harrison <Jim@...tools.org>
Subject: Re: We're now paying up to $20,
 000 for web vulns in our services

On Tue, Apr 24, 2012 at 11:28:29AM -0400, Charles Morris wrote:
> On Tue, Apr 24, 2012 at 11:13 AM, Michal Zalewski <lcamtuf@...edump.cx> wrote:
> >> IMHO, anyone who willingly, knowingly places customer data at risk by inviting attacks on their production systems is playing a very dangerous game. There is no guarantee that a vuln discovered by a truly honest researcher couldn't become a weapon for the dishonest "researcher" through secondary discovery
> >
> > I'm not sure I follow. Are you saying that the dishonest researcher
> > will not try to find vulnerabilities if there is no reward program for
> > the honest ones?
> >
> > /mz
> >
> 
> I'm not sure what he means either, however I know that many
> organizations treat security patches to the same lifecycle as
> features,
> which means sometimes upwards of a year of testing- thus giving a huge
> window for secondary discovery; whereas a vuln exploited in-the-wild
> generally has a much faster patch. Still I'm not sure how this fact is
> relevant, if it is at all. Perhaps if the adversary sees the vuln in
> unencrypted email
> between researcher and organization and then uses it silently making
> sure not to alert anyone? Not sure, but I digress.
> 
> I don't know who believes that they are "owed" anything in this
> manner, and I agree with you, Jim, on that point.
> 
> However, my main complaint is that businesses should either not pay
> anything at all (perhaps 1$ as a token of gratitude, some swag or some
> such),
> or at least make a real effort. Finding a code execution vuln in
> google's whatever app-of-the-day is non-trivial task that requires
> researchers
> to learn a completely new landscape. I would expect Google, of all
> "people", to pay 10x to 100x this amount for this sort of thing..
> A you-only-get-it-when-successful 20,000$ budget from Google is
> insulting, considering the perhaps massive time investment from the
> researcher.
> 
> There is zero ability to make an argument that such businesses "can't
> realistically outcompete all buyers of weaponized exploits" as Michal
> has done [ :'( ].
> The huge amount of damage that a badguy code executing on google
> wallet would cost far more than 2M in damages, repair work, lost
> business, and penalties;
> and yet they only pay a nice researcher 20 grand? You can't even live
> on that. Researchers aren't just kids with no responsibilities, they
> have mortgages and families.
> 
> Increase the payouts and you not only get good guys doing good things
> but you also get bad guys doing good things (even if for the wrong
> reasons).
> 
> n.b. The fact that badguys take risk when doing their badguy
> activities, including selling exploits, makes it even easier to
> outcompete the buyers.
> 
> Still, this is a huge improvement on what it was if memory serves. A
> million thanks to Michal !
>

I suppose if they get hit by malware the size of m$ they will
adjust the numbers. Maybe time will tell.

-- 
Georgi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ