LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security research: buy low, sell high?

Security research: buy low, sell high?

Posted Jul 15, 2007 11:11 UTC (Sun) by ortalo (subscriber, #4654)
Parent article: Security research: buy low, sell high?

The security researchers should certainly be rewarded for their work, that's a long time problem so any attempt to improve this situation is indeed worth a look.
But I wonder how one could adress the other part of the problem: how could we *punish* the developers/managers/companies/users that introduce security bugs?
Certainly, that's a difficult problem, only intentionally careless developers deserve punishment, individuals certainly should be treated differently from organizations, administrators are sometimes the actual culprit, not to speak about all those managers who simply never want to fund security... However, it may be the other important part of the equation.

(Log in to post comments)

putting a price on lax security...

Posted Jul 19, 2007 12:34 UTC (Thu) by jabby (guest, #2648) [Link]

Actually, I was just thinking that this is a good way to get development companies who undervalue security auditing to put a realistic value on it. When they see what it will cost to buy themselves out of trouble ("Buy exclusively!"), perhaps they will see the relative cost-effectiveness of dedicating resources to security in their development processes. If not, at least it forces them to pay for their lax approach to security.

Re: punishment... I don't believe in punishment. In the first part of the theory, people learn to avoid the negative consequence and adjust their behavior in the future. That part might have some bearing on reality, but it certainly hasn't solved the problems of society (think "recidivism", "repeat offenders"). The other part of the theory is that the knowledge of the punishment will cause people to avoid the behavior in the first place. This just hasn't been shown to work (think "partial reinforcement"). In general, I find that understanding the source/motive of the bad behavior and addressing it at that level is far more effective.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds