Threat Center Security News Security researchers bat for cash incentives
Security researchers bat for cash incentives Print E-mail
Written by Rebecca Mints   
Friday, 27 March 2009 05:40

Seeking 'legal options to monetize security research, three researchers who have been reporting about discovered bugs for free are now asking to be paid for their work.

Dino Dai Zovi, Charlie Miller and Alex Sotirov said they will cease providing details of their research about newly found bugs unless they are properly compensated.

In his blog posted this week, Dai Zovi called their demand “No More Free Bugs,” and explained that the current relationship between companies and researchers is unfair. “It is also not fair to the software developers' customers,” he argued.

He also took a shot at “freeloading software vendors”. “They place their customers at risk by not putting forth resources to discover vulnerabilities in and fix their products,” he wrote.

The researches demanded to have mechanisms in place to give incentives to researchers who look for flaws in a software. “There just needs to be more legal and transparent options for monetizing security research,” Dai Zovi wrote in his blog.

The three argued that this would provide a fair market value for a researcher's findings and incentivize more researchers to find and report vulnerabilities to these organizations,” they said.

Paid bug hunting could peg as much as $100,000 from a single flaw categorized as critical.

Software giant Microsoft Corporation is the only company so far that has put in place a mechanism to pay for discovered vulnerabilities found by independent researchers.

However, the three said that previously published research should excluded from the 'pay-for-bugs' scheme as this might be misconstrued as extortion.


WTW Threat Level