Content

Debate» Security researchers should be paid for finding vulnerabilities in code

,

FOR - Kip McClanahan, TippingPoint

3Com's new Zero Day Initiative is a program designed to protect against zero day flaws. It rewards researchers who submit vulnerability information to the affected vendor to develop a patch.

We support security research to promote responsible disclosure and reduce security risks for affected users. In the absence of an incentive, researchers might publicly post this potentially harmful information.

Discovering vulnerability information is not uncommon. Researchers might even stumble across a flaw. Not all researchers are malicious. Most are security professionals who desire stronger security for the greater good.

We will not work with known black hats.

Security researchers should be rewarded for responsible handling. When zero-day vulnerabilities occur, the industry scrambles to find a solution and, in some cases, there are none.

We believe this is a viable solution to reduce zero-day vulnerabilities, which ultimately enhances security. It also gives researchers the recognition they desire without the negative repercussions of publicly posted vulnerabilities.

AGAINST - Ed Adams, CEO, Security Innovation

Paying researchers to find security vulnerabilities is not a positive step. It allows extortion, exploitation (of both people and software) and hacking.

First and foremost, calling those people who find and report security vulnerabilities for cash "researchers" is insulting to those of us who do this professionally and treat it with respect and responsible disclosure.

Unfortunately, there is already an all-too-common process where some researchers engage in threats like: "Pay me $X or I'll sell this to iDefense," or "Mr. Vendor, fix this vulnerability in three weeks because I am giving a paper on it at DefCon."

Vendors that pay the public to find security holes tack a "hack me" sign on their backs.

Consider this: a less-than-ethical "researcher" finds a huge vulnerability in an online banking system and is now faced with reporting it for a few bucks or keeping the valuables they pry away from the system... tough choice.

And if he gets caught, he has the great excuse of: "They pay me to do it!"

That might even stand up in court.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.