fc@all.net said:
The idea that Netscape (like Microsoft) thinks they can get free testing services from all over the net by real experts just by offerring a tee shirt is down right offensive.
They can. Maybe not from you, but people were poking holes in Netscape before *anything* was offered. Greed isn't the sole motivator of people.
I have a better idea. How about an open market in break-in software. We crack Netscape and offer the crack code to the highest bidder. Bids start at US$25K per hole. For the insult, Netscape has to outbid the competition by a factor of 2 to get the details of the hole. Here's how it works:
A bit too mercenary-like for my tastes, and a bit lacking in ethics. Tracking down security holes and selling them to the highest bidder without giving details to all doesn't just hurt Netscape.
I have an even better idea. How about if Netscape gets some competent programmers with real security expertise, adds in some good change controls, a serious internal testing program, quality control ala ISO-9000, internal IT auditors, external IT auditors, training and education for their employees, and everything else it takes to be in the software business in a serious way.
This sounds like a better idea. And it isn't mutually exclusive with the "Bugs Bounty" or T-shirts.
From what I recall, Netscape has hired decent programmers. I don't know about their internal business practices. From what I've seen, though, they have the right attittude about fixing security, rather than sweeping it under the rug and suing people who alledge security faults. Certainly their release of their PRNG code is proof of that.
Bob