| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALx_OUA+KEY2nKHdaCbRvw5iPTwBUFiTaJcDqjGyLm9J64X8PA@mail.gmail.com> Date: Mon, 23 Apr 2012 12:05:43 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: full-disclosure <full-disclosure@...ts.grok.org.uk>, dailydave <dailydave@...ts.immunityinc.com>, bugtraq <bugtraq@...urityfocus.com>, websecurity@...ts.webappsec.org Subject: FYI: We're now paying up to $20,000 for web vulns in our services Hey, Hopefully this won't offend the moderators: http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html I suspect I know how the debate will be shaped - and I think I can offer a personal insight. I helped shape our vulnerability reward program from the start (November 2010), and I was surprised to see that simply having an honest, no-nonsense, and highly responsive process like this... well, it works for a surprisingly high number of skilled researchers, even if you start with relatively modest rewards. This puts an interesting spin on the conundrum of the black / gray market vulnerability trade: you can't realistically outcompete all buyers of weaponized exploits, but you can make the issue a lot less relevant. By having several orders of magnitude more people reporting bugs through a "white hat" channel, you are probably making "underground" vulnerabilities a lot harder to find, and fairly short-lived. Cheers, /mz
Powered by blists - more mailing lists