User: Password:
|
|
Subscribe / Log in / New account

Vulnerability disclosure policies

Vulnerability disclosure policies

Posted Jul 8, 2010 12:25 UTC (Thu) by mpr22 (subscriber, #60784)
In reply to: Vulnerability disclosure policies by error27
Parent article: Vulnerability disclosure policies

Uh, no, I wouldn't expect a finder's fee for returning someone's wallet (even though I wouldn't be particularly offended, upset, or surprised to find they'd returned it sans cash - it's not like I can prove it was them who removed it!), and I think any law enshrining an entitlement/requirement for such should be amended or repealed to remove it.

I'd cheerfully buy the person who returned it a drink if all the cash was still there, though.


(Log in to post comments)

Vulnerability disclosure policies

Posted Jul 8, 2010 13:44 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Back in the days of film cameras, a keen photographer friend always kept a self-addressed and stamped envelope in his kit-bag, with a note asking anyone who had stolen the bag, to return the exposed films rather than throwing them away.

It worked.

Vulnerability disclosure policies - lost and found

Posted Jul 10, 2010 0:18 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

It is the law in California, and I suspect most of the U.S., that if you find someone's lost property, you must make an effort to return it to its owner, and you are not entitled to any reward.

This expresses some people's view of civility, but it also may prevent the recovery of some property, since someone can't make a business out of finding and returning property. The same could be said about reporting bugs. If we consider it a person's obligation to disclose a bug for free once he finds it, how much incentive does he have to look for bugs?

Vulnerability disclosure policies - lost and found

Posted Jul 13, 2010 12:10 UTC (Tue) by mpr22 (subscriber, #60784) [Link]

He gets to feel smarter than the author of the buggy code.

Vulnerability disclosure policies - lost and found

Posted Jul 13, 2010 14:20 UTC (Tue) by giraffedata (subscriber, #1954) [Link]

If we consider it a person's obligation to disclose a bug for free once he finds it, how much incentive does he have to look for bugs?
He gets to feel smarter than the author of the buggy code.

That's a good incentive for hobby-level bug investigation, but not enough to give up one's day job or hire a staff or give someone a research grant. I don't know much about the project in question here, but I have the impression that many of these bug hunters put more than recreational level effort into it.

Vulnerability disclosure policies - lost and found

Posted Jul 15, 2010 3:43 UTC (Thu) by jjs (guest, #10315) [Link]

Better code? People search for bugs because they're USING the software. They find bugs and report them so THEY get better software. It's capitalism at its finest - people doing things because of their own interest.

Look at how Apache came into being for an example.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds