Angels of security » 2009 » April

Archive for April 2nd, 2009

no more free bugs

Thursday, April 2nd, 2009

A very interesting development in the disclosure debate.

A few weeks ago, Charlie Miller, Alex Sotirov, and I [Dai Zovi] arrived on a new meme: No More Free Bugs.

Therefore, reporting vulnerabilities for free without any legal agreements in place is risky volunteer work. There are a number of legitimate alternatives to the risky proposition of volunteering free vulnerabilities and I have already mentioned a few (I don’t want to turn this into an advertisement or discussion on the best/proper way to monetize security research). There just need to be more legal and transparent options for monetizing security research. This would provide a fair market value for a researcher’s findings and incentivize more researchers to find and report vulnerabilities to these organizations.

Tags: disclosure
Posted in general | Comments Off

About this blog

This is not your normal information security blog. This blog is where I vent and struggle against the standards of infosec orthodoxy (wow - I can't even believe there is such a thing). If you're looking for a place to just get the standard security professional line on everything then this is not the place for you. This is a place to read the opinions (and I have many) of someone who often disagrees with standard conventions and isn't afraid to say so.