At Information week on Thursday they reported that FireFox 3 had a "Security Flaw". This is not a surprise, all software has bugs but this should have been reported prior to the release so that Mozilla had time to fix the bug and repair it prior to release.
Information week raises the issues about paying security researchers for bugs they submit "...Security experts have raised concerns about such programs, saying they set a precedent in which people could start selling their information to the highest bidder, who could end up being a criminal. In addition, there's no guarantee that the information is coming from an ethical hacker."
Paying for exploits is a difficult issue. Should we encourage security researchers to continue to find the vulnerabilities? Will it ensure that the problems are found before others can exploit it? Or are we creating a cycle economy? Detect a flaw, pay for it, report it, fix it and find another flaw.
I believe that it is important for researchers to find these flaws and report them responsibly. They should be paid for their work (otherwise they may turn black :) ) but perhaps vendors should place bounties for their own bugs, rather than 3rd parties placing bounties down.
Saturday, June 21, 2008
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment