For years, software makers have benefited from the work done by the community of security researchers who spend days or weeks looking for vulnerabilities and novel ways to break the vendors’ products. This work is virtually always done pro bono by researchers who either have day jobs and do their research as a sideline or by experts at security companies who do the work as a way to promote their research teams. Either way, until recently, most of these bug reports were given to the affected vendors for free.
But now, several high-profile bug finders are trying to put an end to this practice. Alex Sotirov (above, left), Dino Dai Zovi (above, right) and Charlie Miller were talking up their “no more free bugs” mantra at the CanSecWest conference last week, spreading the word that, in most cases, they would no longer be providing vendors with free vulnerability notices. Miller, of Independent Security Evaluators, is already pretty far down this road, having turned his skills into a career finding bugs for money. And he’s put those skills to use to win cash bounties at the Pwn2Own hacking contest at CanSecWest the last two years.
Comments
Post a Comment