17 March 2007

Should Microsoft Start Paying for Vulnerabilities?

"The MSRC (Microsoft Security Response Team) posted a message on the sla.ckers.org message board, calling on third-party researchers to submit vulnerability information directly to Redmond before going public.

Immediately after Microsoft's Sla.ckers.org post, "digi7al64" replied with this:

[I] propose MS implement a reward system where you agree to pay cash for vulnerabilities found within your domains. The benefit of this I suggest would be flood of vulnerabilities reported the first few months which would tapper off to only 1 or 2 intermittently as new systems come online.

The cost of this type of project would be relatively low and if you placed a sliding scale on amount paid (based on the vun) I'm sure you could get away with it for less then 20-50k all told… which in the big scheme of things is a drop in ocean for MS."

Click on the link below for the full article:


No comments: