lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 9 Aug 2007 00:40:38 -0500
From: ireadit@...il.com
To: "Jared DeMott" <demottja@....edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Right, or wrong?

On 8/7/07, Jared DeMott <demottja@....edu> wrote:
>
> All:
>
> So, I've tried the vendor pay model for bug hunting and it wasn't always
> well received.  Apparently auction sites and 3 party purchasers are
> fine, but some folks don't like the idea of selling directly to the
> vendor.  I was thinking that this would be ideal since the vendor would
> have the most interest in knowing about/fixing the bug.  My question to
> the list is this:
> Is it morally right, wrong, don't know, don't care, good business, bad
> business, etc.?  Either way we're moving away from that model, but I was
> just curious how others on FD see it.



Security researchers deserve more than credit for their efforts, but the
software industry isn't there yet and may never be. We've got to find some
legitimate way to monetize security research or the only ones who get paid
for finding these flaws will be those working for organized crime or the
government.

Perhaps the information security field needs it's own Ralph Nader style
activist to write a book and start a campaign about how insecure most
software really is and how corporations have refused to adopt secure
software development methodologies in the interest of saving money and the
result is that we are more vulnerable than we ought to be.

Input validation saves lives. Is your software "unsafe at any speed?"

Keep up the good work Jared.

-- 
ireadit@...il.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ