[18983] in bugtraq
Re: Security information for dollars?
daemon@ATHENA.MIT.EDU (Lincoln Yeoh)
Sat Feb 3 18:24:21 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.5.32.20010203144230.00aecbc0@192.228.128.13>
Date: Sat, 3 Feb 2001 14:42:30 +0800
Reply-To: Lincoln Yeoh <lyeoh@POP.JARING.MY>
From: Lincoln Yeoh <lyeoh@POP.JARING.MY>
X-To: Shalon Wood <dstar@PELE.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <87y9vpjkts.fsf@pele.pele.cx>
At 07:06 AM 2/2/01 -0600, Shalon Wood wrote:
>Cooper <Cooper@LINUXFAN.COM> writes:
>
>> Now, could someone explain to me why a select list of individuals should
>> get an earlier warning?
>
>I think this is the crux of the matter. Before you can say that this
>is a good idea, you first have to show that some people should get
>early notice. Quite frankly, I can see a *very* strong argument in
>favor of the root servers, CCTLD, &c operators getting advance
Sure, but how will they actually get early notice?
Unless ISC _pays_ people who announce security issues to the closed list
exclusively, I don't see how it's really going to work significantly
better. Why announce to the closed list, vs Bugtraq?
So how about:
The listeners pay.
The bug announcers get paid.
ISC gets what's left.
The more bugs the less ISC gets.
One way to cut costs would be to pay using fancy cheques (stating what
exploit it's for) which would be more likely to be framed up than cashed. ;).
Cheerio,
Link.
