In all fairness, you forgot at least one possible scenario in your rebuttal:
5. If one person found a flaw, logic and common sense dictates that others could and would eventually find the same flaw. Hopefully by that time M$ (or any other software vendor) would have done the smart/right thing and issued a patch or service pack to address the flaw (whether or not anyone actually applied the patch is another story). At least under that scenario the likelihood of a zero-day exploit is reduced. Therefore my point stands, although I didn't put more than a moments thought into it before spewing it out. It was almost meant in gest, and I never indicated it was an absolute solution (note the words "maybe" and "might" clearly included). Anyway, my main contribution there was the article, strictly for informational sake. When I try to solve the InfoSec problems of the world, I'll be a lot more thorough about it. Peace, Vic On Wed, 5 Nov 2003, Jerry Heidtke wrote: > > >Maybe M$ should put out a bounty for reporting bugs in their > >crappy software without going public instead. That might be > >more effective. > > Where would the benefit to anyone be from that? The person reporting the > bug may get a little money, at the cost of never mentioning it to anyone > else. Do you think MS would fix a bug that wasn't going to be publicly > disclosed? > > Bounties for reporting bugs can be a good thing. With MS, it would just > be hush money. > > Scenarios as I see them: > > 1. Person reports bug to MS, person voluntarily doesn't publicly > disclose, MS doesn't fix bug. > > 2. Person reports bug to MS, person gets paid not to publicly disclose, > MS doesn't fix bug. > > 3. Person reports bug to MS, person later publicly discloses, MS may or > may not fix bug. > > 4. Person doesn't report bug to MS first, person publicly discloses bug, > MS may or may not fix bug. > > Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all > copies of the original message. > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
