| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <468025F3.1090600@msu.edu>
Date: Mon, 25 Jun 2007 16:30:43 -0400
From: Jared DeMott <demottja@....edu>
To: secure poon <suckure@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Office 0day
secure poon wrote:
> *Proposition*
>
> Microsoft is a 280+ billion dollar corporation. Why don't/can't they
> have a standard ransom fee for security flaws?
>
> 0day Remote OS flaw: $1,000,000
> 0day IE explorer flaws that give administrative shells: $200,000
> 0day (other flaws) that affect other products (ie office): $200,000
> etc..(these fees could be much higher)
>
> Provided the person who discovered the vulnerability gives a full
> working patch, Then Microsoft could patch the hole right away and
> people could update. (yes i know lots of people don't update but at
> least it is a start, and then legally they would be so liable). Maybe
> this concept isint new and I am just in the dark about it.
>
> *Question*
> **
> Why does'nt Microsoft (or any company) do this? And also has
> Microsoft ever been held criminaly liable for negligence in a criminal
> case for not patching a flaw leading to a security breach? Or is there
> team of lawyers just to much for any normal person?
All I can say is AMEN. Having to sell to TPs, iDefs, and Nation States
is so much more painful.
Jared :)
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists