@dinodaizovi I have a solution for that. Bounty should be rent for non-disclosure. Larger bounty -> delayed public disclosure. $0 -> 0-day.
-
-
Replying to @BRIAN_____
@BRIAN_____ That's an interesting idea but I fear vendors will call it extortion. But they called bounties extortion at one point too :).1 reply 0 retweets 0 likes -
Replying to @dinodaizovi
@dinodaizovi Yep. Lots of people have called it extortion already. I don't think it is, but it has been an uphill battle to explain it.2 replies 0 retweets 0 likes -
Replying to @BRIAN_____
@BRIAN_____@dinodaizovi Problem is fairness: Startups & open-source projects can't pay Big vendors w/deep-pockets buy time & sit on bugs1 reply 0 retweets 0 likes -
Replying to @randomoracle
@randomoracle@BRIAN_____@dinodaizovi Payments would be proportional to the software's userbase, so startups would be fine3 replies 0 retweets 2 likes -
Replying to @jruderman
@randomoracle@BRIAN_____@dinodaizovi For OSS, can we somehow encourage big users to contribute to security funds (bounties + audits)?1 reply 0 retweets 1 like -
Replying to @jruderman
@jruderman@BRIAN_____@dinodaizovi Just like how those big users have been generously funding critical projects like OpenSSL? ;-)1 reply 0 retweets 1 like -
Replying to @randomoracle
@randomoracle@BRIAN_____@dinodaizovi Exactly! Would it make sense for breach-insurance companies to make this a requirement?1 reply 0 retweets 0 likes -
Replying to @jruderman
@jruderman@BRIAN_____@dinodaizovi That ignores free-loader problem: all benefit from open-source but prefer someone else pick up the tab1 reply 0 retweets 0 likes -
Replying to @randomoracle
@randomoracle@jruderman@dinodaizovi If nobody picks up the tab then they'd be 0-day'd on every bug. Eventually they'll get tired of it.1 reply 0 retweets 0 likes
@randomoracle @jruderman @dinodaizovi Timely sharing of information to the public is important. Coordinated disclosure is just a nicety.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.