[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] What do security researchers want in a security disclosure policy to reduce their liability?
- From: "Mark Andrews" <gdroids@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] What do security researchers want in a security disclosure policy to reduce their liability?
- Date: Thu, 9 Aug 2007 21:00:02 -0700
On the other hand, these sites are publicly facing. IMHO it is the
company's responsibility to crank these apps down. Companies have the
opportunity for free app. sec. consulting. Researchers that divulge
vulns free of charge/small reward with the threat of prosecution is
counterproductive on the 'company's' part. I think a happy medium is
attainable. Maybe a EULA (for lack of a better term) on behalf of a
researcher list is in order. Not sure how one gets on the list (backed
by a lawyer of course.)
-Mark
On 8/9/07, Bubba Gump <bubbagump123@xxxxxxxxx> wrote:
> Andy,
> This is a good idea, but I don't know about putting up a thank you page for
> the security researcher. Companies are really careful about admitting to
> having security vulnerabilities. I think in most cases they would rather
> quietly fix the issue and thank the researcher privately.
>
> And offering up any kind of reward would encourage people to mess with the
> company's website to search for bugs.
>
> -Bubba
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|