[Dailydave] No more free bugs (and WOOT)

[Julien TINNES]

On Wednesday 08 April 2009, Charles Miller wrote:
> Hi Julien,
>
> I think you misunderstand.  I'm all for responsible disclosure.  I
> just think those doing the disclosure should be rewarded for their
> efforts.  (This is how NMFB is fundamentally different from
> antisecurity.is I believe)

In an ideal world yes, as should people finding other (non-security) bugs.

> As for benefitting the general public, if researchers were actually
> rewarded for their work, more of them would look for (and report)
> vulnerabilities and the public would actually be better off.  Ask
> yourself the question, would more IE bugs be found if the reward was a
> researchers name in an advisory or a bug lump of cash.

If a software company wants to give bounties for this, I think it's a good 
idea, but I'm not sure how this campaign may help. 

If researchers stopped releasing bugs for free, companies would not suddenly 
start paying for them.
Unfortunately most software companies would be perfectly happy without all 
those pesky hackers messing around with their code.

It's already hard to get some software companies care and correct the bugs you 
give them for free (I have numerous examples, as I'm sure you do), I can't 
imagine what the situation would be if they had to buy them.
It may actually give them a perfectly valid excuse for not looking at the bug.

To me, full disclosure would be more of a solution to this particular problem 
than trying to sell bugs. Unfortunately, it has lots of unwanted side effects 
too :)

Julien