Via eWeek.com -
VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer 7.
The Reston, Va., security intelligence outfit threw out the monetary reward to hackers as part of a challenge program aimed at luring researchers to its controversial pay-for-flaw VCP (Vulnerability Contributor Program).
...
iDefense isn't the only brand-name player in the market. 3Com's TippingPoint runs a similar program, called Zero Day Initiative, that pays researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code.
...
The company [iDefense] said the motive of the challenge is to "help assuage this uncertainty."
...
Flaws in release candidate or beta versions do not qualify, and iDefense's rules make it clear that the vulnerability "must be original and not previously disclosed either publicly or to the vendor by another party."
Microsoft typically frowns on the broker market for flaws in its products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the company said during the last iDefense hacking challenge.
"Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known, is the best way to protect the end user," a Microsoft spokesperson, in Redmond, Wash., said at that time.
-----------------------------------------
Since sound like MS is living in a dream world in regards to the blackmarket exploit auctions. So instead of iDefense paying compensation for a bug, which allows for responsible disclosure, MS rather those bugs go to the blackmarket for $50,000. Seriously?
This puts you and me and major corporations in the crosshairs of a dangerous unknown zero-day attacks.
Sure, there will always be zero-day attacks, but why not prevent the ones we can prevent with a little bit of money. Sometime might MS should be able to afford anyways.
I mean Mozilla pays for bugs…
In a perfect world, I would agree with Microsoft. This isn't really the "best" way to deal with vulnerabilities, but the perfect world doesn't exist.
Welcome to the real world...
No comments:
Post a Comment