Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Researchers are often motivated by money

by The Gurus
April 11, 2014
in Editor's News
Share on FacebookShare on Twitter

Bug bounties encourage researchers to be motivated by money rather than pushing for a safer environment.
 
Speaking to IT Security Guru, Cris Thomas, technical manager at Tenable and former L0pht member Spacerogue, said that the group’s efforts were in an aim to get security right and get things fixed. Asked if he felt that the introduction of bug bounties has made things better, he said he “wouldn’t call it better now”.
 
He said: “Because of the bug bounty programmes you have a marketplace, it is not about fixing bugs it is about putting dollars in your pocket. If you find a bug you should get paid for your work as people forget that stuff we did 15 years ago was in addition to day jobs, so we had day jobs to pay for our research. We did our L0pht stuff and found vulnerabilities for fun.
 
“Now there are people who get enjoyment out of finding vulnerabilities, but also want to get paid and rewarded for their effort and time, and I don’t see a problem with that, but it creates a lot of other issues as well as you create a marketplace and you have Governments buying vulnerabilities and stock piling them so that they do not get fixed. That is something I cannot agree with, I want to see stuff get fixed.”
 
Thomas said now security issues are found in areas where they were not thought of to look for before. Joe Grand, who was the L0pht member Kingpin, said that the group members were not getting paid as there wasn’t much of an industry, and now Microsoft pays $100,000 for finding a bug.
 
“That changes things for people who want to get paid and not to make things better. We have grown up and have jobs and families, but there will always be a younger generation and people who grew up the same way we did, hacking things in the basement,” he said.
 
“In the security industry and in technology, there is a lot of money floating around now, so the ambition to create a group is always going to come back to money, whereas at the L0pht money was not the thing, it was doing what we wanted to do.”
 
Thomas called a lot of bug bounty programmes “great, as they motivate people to find bugs and companies to fix them”, but said that is a small factor of what software is rewards findings of bugs, as 99 per cent of it has no bounty so there is no incentive to fix anything.
 
Christien Rioux, aka Dildog, said that the people selling the exploits are not those doing the hacking. “Also it takes a long time to make an exploit – a weaponised exploit that is perfect and executes can take six to nine months and that is a long time for a developer so they have to find a way to monetise that and it requires hundreds of people buying it for a few hundred dollars a time. That’s where the economy makes it explode a little bit.”

FacebookTweetLinkedIn
Tags: Bug BountyVulnerability
ShareTweetShare
Previous Post

US urges businesses to share cyber threat data

Next Post

Canadian banks say they are safe from Heartbleed

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information