http://news.com.com/Bug+hunting+start-up+Pay+up%2C+or+feel+the+pain/2100-735 0_3-6200489.html
Bug hunting start-up: Pay up, or feel the pain By Dawn Kawamoto An upstart security research firm with a controversial business model is at the center of a debate over how software bugs should be disclosed. Vulnerability Discovery and Analysis (VDA) Labs <http://www.vdalabs.com/> , founded in April by Jared DeMott, notifies software vendors of security bugs found in their software, as do many other security researchers. But as part of VDA's business model, vendors are asked to pay for the bugs it discovers, or its consulting services, otherwise VDA threatens to sell the bug to a third party or make the details of the security flaw public. DeMott, who has done work for the National Security Agency among other places, describes his business model as "edgy," while other security researchers see it as more akin to "extortion." The practice, in either case, veers from the more traditional ways bug hunters have worked with software vendors and security firms. Just two weeks ago, LinkedIn, the popular social-networking site, got a taste of VDA's business practices, when the Michigan security company claimed it had found a critical security flaw in the LinkedIn Internet Explorer Toolbar. "We've discovered an attack against the LinkedIn toolbar. If you are interested in the bug, we would like to give first right of refusal to purchase it. We'd also like to perform a more complete security audit of your products. We can help make the LinkedIn products more secure," DeMott stated in e-mail sent to LinkedIn on July 10, as viewed by CNET News.com. The e-mail continues: "If you wouldn't like to buy it then we are happy to resell or release as a full disclosure to help prevent security issues arising on end users servers. We strongly believe in keeping users safe. We are unique in that we give vendors a first chance at the bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA Labs Value add document attached. If you'd like to buy the bug we will provide working attack code, so that you can verify the bug, before you send the check." VDA set a deadline of July 17 and requested a payment of $5,000. After failing to receive a response from LinkedIn, DeMott sent two e-mails on the eve of the deadline. One served as a reminder that the deadline was looming, and the other stated the price had increased to $10,000. ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
