When it becomes legally compulsory to report all vulnerabilities to the vendor immediately, what do you think will happen to bug bounties?
-
-
Replying to @dinodaizovi
@dinodaizovi I have a solution for that. Bounty should be rent for non-disclosure. Larger bounty -> delayed public disclosure. $0 -> 0-day.1 reply 0 retweets 2 likes -
Replying to @BRIAN_____
@BRIAN_____ That's an interesting idea but I fear vendors will call it extortion. But they called bounties extortion at one point too :).1 reply 0 retweets 0 likes -
Replying to @dinodaizovi
@dinodaizovi Yep. Lots of people have called it extortion already. I don't think it is, but it has been an uphill battle to explain it.2 replies 0 retweets 0 likes -
Replying to @BRIAN_____
@BRIAN_____@dinodaizovi Problem is fairness: Startups & open-source projects can't pay Big vendors w/deep-pockets buy time & sit on bugs1 reply 0 retweets 0 likes -
Replying to @randomoracle
@randomoracle@BRIAN_____@dinodaizovi Payments would be proportional to the software's userbase, so startups would be fine3 replies 0 retweets 2 likes
@jruderman @randomoracle @dinodaizovi Plus, *in the long run*, 0-day full disclosure is better for everybody. May not feel good immediately.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.