Ok article, but not necessarily a good analogy. An addict turns in a dirty needle and gets a clean one – no exchange of information is required. The “hackers” aren’t turning in their tools. This is closer to a slut vs. a prostitute – one gets paid the other doesn’t and either way, everyone involved gets a little dirty...
Needle exchange programs operate on the gritty premise that junkies will shoot up regardless of risk, so you might as well give them clean needles to prevent the spread of disease. That's the same kind of logic behind programs such as iDefense's Vulnerability Contributor Program (VCP) and 3Com/TippingPoint Technologies' new Zero Day Initiative (ZDI), which pay independent researchers for newly discovered software vulnerabilities. Hackers will never stop uncovering flaws, so you might as well encourage them with cash payouts to report those vulnerabilities to a trustworthy security company. The company then shares this information with customers and affected vendors, and waits until a patch is available before publicly announcing the vulnerability. "We're doing the QA that vendors should have done before they ever put the product on the shelf," says Michael Sutton, director of iDefense Labs and the VCP. "Vendors benefit because they get advanced warning, and end users benefit because they get vulnerabilities patched."
0 comments:
Post a Comment