|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Fwd: [ISN] Security experts hit out at "unethical" bugfinder
From: Chris Wysopal (weld
vulnwatch.org)
Date: Mon Mar 14 2005 - 11:46:45 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 13 Mar 2005 halvargmx.de wrote:
> There needs to be some way to create economic incentive for software vendors
> to fix
> bugs before the product is delivered and installed, and there are really
> just two choices:
> 1. Hold software vendors liable for damages incurred from intrusions
> 2. Create a market for vulnerabilities
I would agrue that there always has been a market for vulnerabilities.
Bug finders gain PR for their advisories that translates to real business
value: stake, Foundstone, etc. Still this is low value but it does still
effect vendor behavior. Then there are higher value vulnerability clubs,
CERT, ISS, DigitalDefense. These may effect vendor behavior more.
The Immunity VSC may have even higher value since vendors are not
automatically informed. This should effect vendor behavior.
I don't think it is a simple as "create a market" and "effect vendor
behavior". Its the details that matter. Is the detail of not
automatically informing vendor one that is necessary for the market to be
economical to the broker? Is is a requirement to modify vendor behavior?
Are their downsides to this that preclude this type of market from taking
off and really effecting the industry?
-Chris
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]