[Owasp-rochester-announce] Question: Is this extortion or security consulting?
andrea.cogliati at owasp.org
Sun Oct 4 20:40:52 EDT 2009
It's definitely blackmailing. Like it or not, the only "currency"
received by security researchers for discovering vulnerabilities is
credit. I don't entirely agree with this practice, but this is how the
industry has been working for almost 10 years.
On Oct 4, 2009, at 2:29 PM, David Stevenson wrote:
> I saw this in LinkedIn in the Question and Answer section. People
> are calling this payment extortion. Is that a correct view, or is
> the hacker protecting consumers from poor security provided by
> corporations? Unstated in this description is whether consumer
> identity information, such as credit card numbers and/or social
> security numbers, were at risk of disclosure. Also unstated is
> whether company assets, or revenue, were at risk due to the security
> flaw. Were the security risks easily preventable, such as security
> risks caused by SQL Injection attacks?
> How to recognize on the financial statements a payment to a hacker,
> that stops him from posting a security flaw on the internet?
> A payment of 100,000 was made to keep the flaw of the program from
> being public, how would this payment be recognized on the financial
> David Stevenson
> Owasp-rochester-announce mailing list
> Owasp-rochester-announce at lists.owasp.org
More information about the Owasp-rochester-announce