| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jheidtke at fmlh.edu (Jerry Heidtke) Subject: M$ puts bounty out for Blaster and Sobig culprits >Maybe M$ should put out a bounty for reporting bugs in their >crappy software without going public instead. That might be >more effective. Where would the benefit to anyone be from that? The person reporting the bug may get a little money, at the cost of never mentioning it to anyone else. Do you think MS would fix a bug that wasn't going to be publicly disclosed? Bounties for reporting bugs can be a good thing. With MS, it would just be hush money. Scenarios as I see them: 1. Person reports bug to MS, person voluntarily doesn't publicly disclose, MS doesn't fix bug. 2. Person reports bug to MS, person gets paid not to publicly disclose, MS doesn't fix bug. 3. Person reports bug to MS, person later publicly discloses, MS may or may not fix bug. 4. Person doesn't report bug to MS first, person publicly discloses bug, MS may or may not fix bug. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Powered by blists - more mailing lists