Chrome security more gooder than other's securities?

[Scott_Arm]

http://arstechnica.com/security/new...-browser-left-standing-in-pwn2own-contest.ars

Chrome is the last to fall? Could it be that Chrome's sandboxing will actually raise the bar?

 

[rpg.314]

I have been a fan of it's model ever since it came out.

 

[nutball]

This is an interesting quote:

"I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away," Miller told ZDNet. "Apple pays people to do the same job so we know there's value to this work."

I can see where he's coming from, but I'm not entirely sure it's totally ethical.

 

[suryad]

This is an interesting quote:



I can see where he's coming from, but I'm not entirely sure it's totally ethical.

Well I think he is completely in line because he should get paid for his services. If a company needs to find out bugs about their software they should just hire the guy and pay him.

 

[nutball]

Well I think he is completely in line because he should get paid for his services. If a company needs to find out bugs about their software they should just hire the guy and pay him.

Well the flip-side is if he isn't being paid by the company, why is he going looking for [strike]exploits[/strike] bugs in the first place? Rooting around in people's trash bags looking for embarrassing photos, then asking them for money or you'll put them on Facebook... there's a word for that. If he's looking for bugs for reasons of intellectual curiosity then whoop-de-doo he just got his satisfaction from proving that he's better than Apple. He knows he's unlikely to get paid, that's what he's moaning about. So what, exactly, is his motivation?

( ^^^^ I'm playing Devil's Advocate here by the way ^^^^).

Personally I'd love to see an open scheme in which the browser devs put bounties on bugs. I don't have a problem with people who find these exploits getting paid, I think it would probably help improve browser security in general. But I'd feel a whole lot more comfortable if it was out in the open and free from the sniff of blackmail. In the absence of such a scheme I'm somewhat suspicious of people claiming they're doing it for the good of humanity.

 

[suryad]

You do have a fair point nutball but at the same time does he not work for some security services company? I do like the the idea of the open scheme and bounties on bugs but I just dont see that idea becoming popular. I wonder how many of these exploits that these people find at these hackathons are already known bugs just developers being lazy in fixing them. I would think not many...or else there wouldnt be those hackathons in the first place!

 

[Davros]

If a company needs to find out bugs about their software they should just hire the guy and pay him.

or they could just use the customers like most software devs