From: Bob Snyder <rsnyder@janet.advsys.com>
Date: Sat, 14 Oct 95 14:51:11 PDT
To: cypherpunks@toad.com
Subject: Re: Netscape rewards are an insult
In-Reply-To: <9510141153.AA16412@all.net>
Message-ID: <199510142153.RAA01017@janet.advsys.com>
MIME-Version: 1.0
Content-Type: text/plain


fc@all.net said:
> 	The idea that Netscape (like Microsoft) thinks they can get free 
> testing services from all over the net by real experts just by 
> offerring a tee shirt is down right offensive.

They can. Maybe not from you, but people were poking holes in Netscape before 
*anything* was offered. Greed isn't the sole motivator of people.

> 	I have a better idea.  How about an open market in break-in 
> software.  We crack Netscape and offer the crack code to the highest 
> bidder.  Bids start at US$25K per hole.  For the insult, Netscape has 
> to outbid the competition by a factor of 2 to get the details of the 
> hole. Here's how it works:

A bit too mercenary-like for my tastes, and a bit lacking in ethics. Tracking 
down security holes and selling them to the highest bidder without giving 
details to all doesn't just hurt Netscape.

> 	I have an even better idea.  How about if Netscape gets some 
> competent programmers with real security expertise, adds in some good 
> change controls, a serious internal testing program, quality control 
> ala ISO-9000, internal IT auditors, external IT auditors, training 
> and education for their employees, and everything else it takes to be 
> in the software business in a serious way.

This sounds like a better idea. And it isn't mutually exclusive with the "Bugs 
Bounty" or T-shirts.

From what I recall, Netscape has hired decent programmers. I don't know about their internal business practices. From what I've seen, though, they have the right attittude about fixing security, rather than sweeping it under the rug and suing people who alledge security faults. Certainly their release of their PRNG code is proof of that.

Bob