On Thu, Jan 27, 2000 at 10:31:46AM -0800, Ed Gerck wrote:
> I can imagine a company writing, for the benefit of all:
>
> We support open assessment of risks -- if you find a security fault
> in our systems, please tell us first so that we can fix it first. We commit
> ourselves to making public all such communications after a solution
> is found so that publication will not compromise the system further. We
> also reward any recognized security fault called to our attention, up to
> US $1,000 from a minimum of US$ 50 -- value to be defined by us in
> relationship to known faults and to its relevance. To be ellegible for
> the reward, we must be the first and only to be informed about it. The
> company reserves the right to consider legal measures to the full extent
> of law if a fault is discovered or a reward is pursued by illegal actions.
Netscape used to have a similar policy. I beleive
that they called it "bugs bounty". They also posted security bug
fixes for public review (i.e. the random number bug).
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5