From: Carter Mobley (carterm@PUBLICATE.COM)
Date: 11/03/01

Message-ID:  <002301c16409$3cec7fe0$>
Date:         Fri, 2 Nov 2001 20:45:37 -0500
From: Carter Mobley <carterm@PUBLICATE.COM>
Subject:      Re: Call to arms - INFORMATION ANARCHY

If Microsoft would simply offer cash rewards to vulnerability discoverers,
conditioned on the discoverer promising to never disclose to a third party,
I think the problem is solved quite nicely. For Microsoft, it's a cost of
doing business, they can add it to the price of the software. All we need is
a price list. What about this one?

A. $25,000.00 for bringing down a fully patched web server
B. $50,000.00 for accessessing database records without setting off any
alarms on a fully patched SQL server.
C. $10,000.00 for accessing private information from a fully patched windows
XP home edition.

If we assume that over the course of the next 5 years that 100 A type
vulnerabilities and 100 B type vulnerabilities are found, reported
responsibly, and fixed by Micorosoft, it cost Microsoft a total of 7.5
million dollars in reward money to protect their customers, all
vulnerabilities remaining 100 percent undisclosed.

Any rational objections to this simple, inexpensive, yet effective plan?

Carter Mobley

Delivery co-sponsored by Trend Micro, Inc.
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:

Relevant Pages

  • SecurityFocus Microsoft Newsletter #305
    ... Microsoft Office security, part one ... Microsoft Internet Explorer Multiple COM Object Color Property Denial of Service Vulnerabilities ... An attacker may leverage these issues to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. ...
  • SecurityFocus Microsoft Newsletter #306
    ... Microsoft Office security, part two ... Microsoft Internet Explorer COM Object Instantiation Daxctle.OCX Heap Buffer Overflow vulnerability. ... Cybozu Garoon Multiple SQL Injection Vulnerabilities ...
  • Re: [Full-disclosure] Microsofts Real Test with Vista is Vulnerabilities
    ... So if they can earn more from the subscription based security solution where is the incentive to make the OS more secure? ... I am far from a Microsoft marketing expert... ... Microsoft's Real Test with Vista is Vulnerabilities ...
  • SecurityFocus Microsoft Newsletter #360
    ... A Method of Testing VoIP security or Voice VLANs ... MICROSOFT VULNERABILITY SUMMARY ... Online Armor Personal Firewall SSDT Hooks Multiple Local Vulnerabilities ...
  • [Full-disclosure] Microsofts Real Test with Vista is Vulnerabilities
    ... Vista, the solution to all our problems: Microsoft portrays Vista as ... anything from the end of software vulnerabilities to the end of spyware. ... Last December Noam wrote of eBay bids on an Excel 0day vulnerability, ...