From: Chris Wysopal (weldvulnwatch.org)
Date: Thu Mar 03 2005 - 12:15:47 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

halvargmx.de said:

>It is clear that we thus need to "link" the risk of widespread attacks
>using unknown vulnerability back into the market. I see two avenues of
>doing this:
>
>1. Make the software industry liable for damages from worms etc. --
>obviously, they would have to buy insurance for this
>
>2. Create a market for vulnerabilities where the folks that find bugs
>have a place to go and get paid for their work

If the market is a VSC, unless the VSC informs the vendor (or makes the
issue public at a later date) then the positive security effect you are
looking for is only for the people subscribing to that particular VSC.
This is only going to be a small fraction of the overall software market.
And even those in the club can't use this information as leveage with
vendors.

However if the VSC informs the vendor (or goes public) it devalues the
information it is selling because it will be relevant a shorter period of
time. So market value is lower for researchers contributing to vendor
informing VSCs. This would tend to make non-informing VSCs more
profitable and drive research toward them. Thus taking vulnerability
information out of the public where it can be used as leverage against
vendors to get them to ship less buggy products.

-Chris
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]