[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.58.0311051005520.16250@well.com>
From: vvandal at well.com (Vic Vandal)
Subject: M$ puts bounty out for Blaster and Sobig
culprits
In all fairness, you forgot at least one possible scenario in
your rebuttal:
5. If one person found a flaw, logic and common sense dictates
that others could and would eventually find the same flaw.
Hopefully by that time M$ (or any other software vendor) would
have done the smart/right thing and issued a patch or service
pack to address the flaw (whether or not anyone actually applied
the patch is another story).
At least under that scenario the likelihood of a zero-day exploit
is reduced. Therefore my point stands, although I didn't put
more than a moments thought into it before spewing it out. It was
almost meant in gest, and I never indicated it was an absolute
solution (note the words "maybe" and "might" clearly included).
Anyway, my main contribution there was the article, strictly for
informational sake. When I try to solve the InfoSec problems of
the world, I'll be a lot more thorough about it.
Peace,
Vic
On Wed, 5 Nov 2003, Jerry Heidtke wrote:
>
> >Maybe M$ should put out a bounty for reporting bugs in their
> >crappy software without going public instead. That might be
> >more effective.
>
> Where would the benefit to anyone be from that? The person reporting the
> bug may get a little money, at the cost of never mentioning it to anyone
> else. Do you think MS would fix a bug that wasn't going to be publicly
> disclosed?
>
> Bounties for reporting bugs can be a good thing. With MS, it would just
> be hush money.
>
> Scenarios as I see them:
>
> 1. Person reports bug to MS, person voluntarily doesn't publicly
> disclose, MS doesn't fix bug.
>
> 2. Person reports bug to MS, person gets paid not to publicly disclose,
> MS doesn't fix bug.
>
> 3. Person reports bug to MS, person later publicly discloses, MS may or
> may not fix bug.
>
> 4. Person doesn't report bug to MS first, person publicly discloses bug,
> MS may or may not fix bug.
>
> Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message.
>
>
Powered by blists - more mailing lists