Furthermore, skeptics feel that researchers discovering flaws should, at a
minimum, receive personal recognition for their findings. They believe bug finding
should be considered an act of goodwill and not a profitable endeavor.
Bug hunters counter these issues by insisting that they believe in full disclosure policies
and that any acts of extortion are discouraged. In addition, they are paid for their
work and do not work on a bug commission plan as some skeptics maintain. Yep??”
more controversy.
In the first quarter of 2007, iDefense, a VeriSign company, offered up a challenge to the
security researchers. For any vulnerability that allows an attacker to remotely exploit and
execute arbitrary code on either Microsoft Windows Vista or Microsoft Internet Explorer
v7, iDefense will pay $8,000, plus an extra $2,000 to $4,000 for the exploit code, for up to
six vulnerabilities. Interestingly, this has fueled debates from some unexpected angles.
Security researchers are up in arms because previous quarterly vulnerability challenges
from iDefense paid $10,000 per vulnerability. Security researchers feel that their
work is being ???discounted.???
This is where it turns dicey. Because of decrease in payment for the gray hat work for
finding vulnerabilities, there is a growing dialogue between these gray hatters to auction
off newly discovered, zero-day vulnerabilities and exploit code through an underground
brokerage system.
Pages:
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197