[6530] in cryptography@c2.net mail archive
Re: prove me wrong, go to jail
daemon@ATHENA.MIT.EDU (Eric Murray)
Fri Jan 28 15:42:58 2000
Message-ID: <20000127163028.22314@slack.lne.com>
Date: Thu, 27 Jan 2000 16:30:28 -0800
From: Eric Murray <ericm@lne.com>
To: Ed Gerck <egerck@nma.com>
Cc: Ted Lemon <mellon@isc.org>, cryptography@c2.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <38908F12.39F632EF@nma.com>; from Ed Gerck on Thu, Jan 27, 2000 at 10:31:46AM -0800
On Thu, Jan 27, 2000 at 10:31:46AM -0800, Ed Gerck wrote:
> I can imagine a company writing, for the benefit of all:
>
> We support open assessment of risks -- if you find a security fault
> in our systems, please tell us first so that we can fix it first. We commit
> ourselves to making public all such communications after a solution
> is found so that publication will not compromise the system further. We
> also reward any recognized security fault called to our attention, up to
> US $1,000 from a minimum of US$ 50 -- value to be defined by us in
> relationship to known faults and to its relevance. To be ellegible for
> the reward, we must be the first and only to be informed about it. The
> company reserves the right to consider legal measures to the full extent
> of law if a fault is discovered or a reward is pursued by illegal actions.
Netscape used to have a similar policy. I beleive
that they called it "bugs bounty". They also posted security bug
fixes for public review (i.e. the random number bug).
--
Eric Murray www.lne.com/~ericm ericm at the site lne.com PGP keyid:E03F65E5
