Alex Sotirov

Vulnerability showboating is for amateurs

By Gunter Ollmann
It’s like one of those magic candles people place on birthday cakes that sparkle and relight themselves each time you think they’ve been blown out. That’s how I’d define the most recent ignition of the “bugs for cash” debate.

By now you’ll have probably heard that Dino Dai Zovi, Charlie Miller and Alex Sotirov have declared “No more free bugs” (Dai Zovi affirms his position and provides insight to his side of the argument over on his blog titled “No more free bugs”). 

No more free bugs for software vendors

It appears that the free ride is over for software vendors.

For years, software makers have benefited from the work done by the community of security researchers who spend days or weeks looking for vulnerabilities and novel ways to break the vendors’ products. This work is virtually always done pro bono by researchers who either have day jobs and do their research as a sideline or by experts at security companies who do the work as a way to promote their research teams. Either way, until recently, most of these bug reports were given to the affected vendors for free.

No consensus yet on partial disclosure

Five of the brighter minds in the security industry spent two hours Thursday afternoon arguing, needling each other and generally disagreeing about everything under the sun and at the end of it all settled absolutely nothing on the topic of partial disclosure.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.