The organization uses lab environments to re-create vulnerabilities
and thenworks directly with the vendors to provide a reasonable solution. iDefense??™s program,
Vulnerability Contributor Program (VCP), has pinpointed hundreds of threats over
the past few years within a long list of applications.
This global security company has drawn skepticism throughout the industry, however,
as many question whether it is appropriate to profit by searching for flaws in others??™ work.
The biggest fear here is that the practice could lead to unethical behavior and, potentially,
legal complications. In other words, if a company??™s sole purpose is to identify flaws in
software applications, wouldn??™t there be an incentive to find more and more flaws over
time, even if the flaws are less relevant to security issues? The question also touches on the
idea of extortion. Researchers may get paid by the number of bugs they find??”much like
the commission a salesperson makes per sale. Critics worry that researchers will begin
going to the vendors demanding money unless they want their vulnerability disclosed to
the public??”a practice referred to as a ???finder??™s fee.??? Many believe that bug hunters should
be employed by the software companies or work on a voluntary basis to avoid this profiteering
mentality.
Pages:
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196