Chris,
Good points.
However how did you come to the ascertion that everyone is expecting lots
of exploits ? I for one didn't express this opinion.
Keeping Windows 2003 in mind (and how widely it's deployed, admittedly) we
could be in for a surprise with Vista. Maybe that's too optimistic ; only
time will tell.
Kr
Roger
On Wed, December 20, 2006 12:54 am, Chris Poulter wrote:
> 50k per vulnerability opposed to hundreds (unlikely) 60-100k/year
> (unlikely) - the Q/A's might only get 40-50k/year, a security
> vulnerability technician would be the one getting paid the big bucks,
> but there wouldn't be "hundreds" of them? - how do you work that one out
> to be more feasible?
>
> Considering everyone is presuming there will be lots of exploits,
> 50k/exploit will equate to a much larger payout....
>
> And exploit the exploiters? - how do you figure this one as well?
> Someone getting paid 50k/exploit is far more beneficial to the
> "exploiter" than getting nothing and just sharing the love....where MS
> would lose out more if this happened and leave them more exposed...
>
> I'm not arguing for either side of the case as I haven't looked into it
> enough to make my own judgment, but I don't think your assessment is
> accurate...
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Cody Tubbs
> Sent: Wednesday, December 20, 2006 10:40 AM
> To: Radu Oprisan
> Cc: pen-test@securityfocus.com
> Subject: Re: Trend Micro's Vista "0day exploit auction" claim
>
> It's cheaper to pay kids 50k for actually finding flaws, rather than
> paying hundreds of QA engineers 60-100k a pop to spend months finding
> nothing. Another reason M$ sucks, exploit the exploiters.
>
> -Cody Tubbs
>
> Radu Oprisan wrote:
>> Ryan Meyer wrote:
>>
>>> A number of popular tech news sources are reporting Trend Micro's
> CTO,
>>> Raimund Genes, publicly claiming that there are "auctions" for
> zero-day
>>> Windows Vista exploits. Further, he claims these auctions are
> fetching
>>> approx $50,000.
>>>
>>> Could anyone verify Trend Micro's claim?
>>>
>>
>>
>>> It seems dubious, at best, to me and possibly nothing more than pure
> FUD.
>>>
>>> Sorry to get off topic.
>>>
>>> Ryan Meyer
>>>
>>
>> This could also be some covert way for microsoft to find their own
>> vulnerabilities. That has happened before.
>>
>>
>
>
>
--
Life is 10 percent what you make it and 90 percent how you take it. -
Irving Berlin
|