When it becomes legally compulsory to report all vulnerabilities to the vendor immediately, what do you think will happen to bug bounties?
@dinodaizovi Yep. Lots of people have called it extortion already. I don't think it is, but it has been an uphill battle to explain it.
-
-
@BRIAN_____@dinodaizovi Who decides what the maximum "rent" is? -
@cryptorobert@dinodaizovi The researcher. But, I want an Association of Hacking Professionals (Like doctors have AMA) set guidelines.
End of conversation
New conversation -
-
-
@BRIAN_____@dinodaizovi Problem is fairness: Startups & open-source projects can't pay Big vendors w/deep-pockets buy time & sit on bugs -
@randomoracle@BRIAN_____@dinodaizovi Payments would be proportional to the software's userbase, so startups would be fine -
@jruderman@randomoracle@dinodaizovi Plus, *in the long run*, 0-day full disclosure is better for everybody. May not feel good immediately.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.