lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <41B1FD84D49E05448A4233378E6BF475163C87@entmsgnt03.fm.frd.fmlh.edu>
From: jheidtke at fmlh.edu (Jerry Heidtke)
Subject: M$ puts bounty out for Blaster and Sobig culprits

>Maybe M$ should put out a bounty for reporting bugs in their
>crappy software without going public instead.  That might be
>more effective.

Where would the benefit to anyone be from that? The person reporting the
bug may get a little money, at the cost of never mentioning it to anyone
else. Do you think MS would fix a bug that wasn't going to be publicly
disclosed?

Bounties for reporting bugs can be a good thing. With MS, it would just
be hush money.

Scenarios as I see them:

1. Person reports bug to MS, person voluntarily doesn't publicly
disclose, MS doesn't fix bug.

2. Person reports bug to MS, person gets paid not to publicly disclose,
MS doesn't fix bug.

3. Person reports bug to MS, person later publicly discloses, MS may or
may not fix bug.

4. Person doesn't report bug to MS first, person publicly discloses bug,
MS may or may not fix bug.

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ