Why bug hunters are coming in from the wild
详细信息 查看全文
- 作者:Tim Ring (freelance journalist)Author Vitae
- 刊名:Computer Fraud & Security
- 出版年:February, 2014
- 年:2014
- 卷:2014
- 期:2
- 页码:16-20
- 全文大小:654 K
文摘
One of 2013's more poignant blog posts came in October from Ramses Martinez, director of Yahoo's bug-finding division Yahoo Paranoids, under the title, 鈥楽o I'm the guy who sent the T-shirt out as a thank you鈥? Martinez was responding to a storm of criticism he had run into for offering researchers at High-Tech Bridge - who had discovered three cross-site scripting (XSS) vulnerabilities that could compromise Yahoo user accounts - the company's then usual 鈥榯hank you鈥?of a $12.50 gift voucher per bug, replacing the Yahoo T-shirt that Martinez had previously sent researchers as a personal thanks.
There are now over 200 鈥榖ug bounty鈥?programmes worldwide, offering researchers anything up to $150,000 for finding serious website or app vulnerabilities.
But with the black market in software exploits still thriving, the world of bug hunting is still shrouded in mistrust between vendors and researchers. Tim Ring looks at the different and sometimes unconventional ways in which the bug hunting industry is developing.