LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Vulnerability disclosure policies - lost and found

Vulnerability disclosure policies - lost and found

Posted Jul 10, 2010 0:18 UTC (Sat) by giraffedata (subscriber, #1954)
In reply to: Vulnerability disclosure policies by NRArnot
Parent article: Vulnerability disclosure policies

It is the law in California, and I suspect most of the U.S., that if you find someone's lost property, you must make an effort to return it to its owner, and you are not entitled to any reward.

This expresses some people's view of civility, but it also may prevent the recovery of some property, since someone can't make a business out of finding and returning property. The same could be said about reporting bugs. If we consider it a person's obligation to disclose a bug for free once he finds it, how much incentive does he have to look for bugs?

(Log in to post comments)

Vulnerability disclosure policies - lost and found

Posted Jul 13, 2010 12:10 UTC (Tue) by mpr22 (subscriber, #60784) [Link]

He gets to feel smarter than the author of the buggy code.

Vulnerability disclosure policies - lost and found

Posted Jul 13, 2010 14:20 UTC (Tue) by giraffedata (subscriber, #1954) [Link]

If we consider it a person's obligation to disclose a bug for free once he finds it, how much incentive does he have to look for bugs?
He gets to feel smarter than the author of the buggy code.

That's a good incentive for hobby-level bug investigation, but not enough to give up one's day job or hire a staff or give someone a research grant. I don't know much about the project in question here, but I have the impression that many of these bug hunters put more than recreational level effort into it.

Vulnerability disclosure policies - lost and found

Posted Jul 15, 2010 3:43 UTC (Thu) by jjs (guest, #10315) [Link]

Better code? People search for bugs because they're USING the software. They find bugs and report them so THEY get better software. It's capitalism at its finest - people doing things because of their own interest.

Look at how Apache came into being for an example.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds