lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: vvandal at well.com (Vic Vandal)
Subject: M$ puts bounty out for Blaster and Sobig
 culprits

In all fairness, you forgot at least one possible scenario in
your rebuttal:

5. If one person found a flaw, logic and common sense dictates
that others could and would eventually find the same flaw.
Hopefully by that time M$ (or any other software vendor) would
have done the smart/right thing and issued a patch or service
pack to address the flaw (whether or not anyone actually applied
the patch is another story).

At least under that scenario the likelihood of a zero-day exploit
is reduced.  Therefore my point stands, although I didn't put
more than a moments thought into it before spewing it out.  It was
almost meant in gest, and I never indicated it was an absolute
solution (note the words "maybe" and "might" clearly included).
Anyway, my main contribution there was the article, strictly for
informational sake.  When I try to solve the InfoSec problems of
the world, I'll be a lot more thorough about it.

Peace,
Vic

On Wed, 5 Nov 2003, Jerry Heidtke wrote:

>
> >Maybe M$ should put out a bounty for reporting bugs in their
> >crappy software without going public instead.  That might be
> >more effective.
>
> Where would the benefit to anyone be from that? The person reporting the
> bug may get a little money, at the cost of never mentioning it to anyone
> else. Do you think MS would fix a bug that wasn't going to be publicly
> disclosed?
>
> Bounties for reporting bugs can be a good thing. With MS, it would just
> be hush money.
>
> Scenarios as I see them:
>
> 1. Person reports bug to MS, person voluntarily doesn't publicly
> disclose, MS doesn't fix bug.
>
> 2. Person reports bug to MS, person gets paid not to publicly disclose,
> MS doesn't fix bug.
>
> 3. Person reports bug to MS, person later publicly discloses, MS may or
> may not fix bug.
>
> 4. Person doesn't report bug to MS first, person publicly discloses bug,
> MS may or may not fix bug.
>
> Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information.  Any unauthorized review, use,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message.
>
>


Powered by blists - more mailing lists