Outpost 4 analysis by Matousec

well i fail to understand the reason behind such a great attempt to put forward matousec's case here..or you are member of matousec's elite panel urself.

But i will only say what joliet jake has rightfully mentioned in his earlier post that by just mentioning on a website that they have found 100 bugs...that they really exist..

I declare here that kaspersky has 500 bugs,and will only provide evidence if eugene kaspersky pays me some 10000$...(will you believe me or believe their 99.6% detections...)

What is needed here is transparency here..

What matousec has done is complete rubbish and a joke and until he provides with concrete evidence to support his wild claims about all major security prodcuts,until then ,i am not a fool to believe him..

Matousec is building castles in air and wants people to buy it...

Again,i make it very clear that i ain't against matousec,but to believe his claims and reports,in its current form, is impossible...

 

well in that case (to believe theirs claims) just wait for another public advisory ...

 

Probably virtual extortion, but I'm no lawyer, so I couldn't say.
Bugs for sale, veiled in a review?...definitely.
Is there a criminal lawyer in the house who could answer the legality of all this?
This type of thing has most likely been going on for a long time, only now we get a little window on the dirty world of software security bugs.
That doesn't make it right, but it appears to be the nature of that kind of business.

I think most people have already been willing victims, only we don't recognize it because it is given warm and friendly names like Software Upgrade Policy, EULA, End of Support, and it is spread out over a period of a few years rather than all at once. And it's all nice and legal.

Don't forget that in the end, we the consumers will pay the price for the software security bugs in higher prices no matter what.
If the corporation spends more time and money making a secure and stable product, they will pass the cost on to us.
If they rush out a sloppy bug laden product and later pay the bug finder's fee, they will pass the cost on to us.
Right now we the consumers are doing most of the non-security bug finding for free.

 

I agree, but what should a researcher do when a corporation acts like a corporation and doesn't want to pay whatever is considered the fair market value of the bug? If the researcher is a good guy, he will keep the bug a secret, but get nothing for the effort.

Edit: He should use proper channels for this, not deal directly with the corporation.

 

I think they would be shown a sample bug to determine the significance of the bug.

I agree, this is not the best/cleanest way to do things.

I agree. It is very open to fraud.

In the car example, if the safety flaws are exposed, no extra harm to consumers are caused by the exposure.
With the exposed security flaws, the potential harm is much greater.

Yes there will be a lot of abuse. It would have to be a trust relationship. Which can not be done when the corporation is being forced to pay up or else.
They don't say what happens if the vendor does not agree to purchase.

The reviews now appear to be a thin shroud for the sale of bugs.

There are better more honorable solutions for the small vulnerability researcher like a third party intermediary such as Secunia or iDefense Vulnerability Contributor Program.
iDefense or Secunia may just turn around and sell the bug at a higher price to the vendor.
But at least this way, it is a trusted third party who can independently verify the claims.
They already know all this but still choose to take the road of deceit, blackmail, and extortion.

 

Now that's funny!
You don't have to look too far to see that I am not an elite.
I am just a consumer. I have purchased ZoneAlarm and Outpost in the past. I have absolutely no financial or other affiliation with any security software company or any security research firm.
Not that it matters, but to be equal, do you have any financial affiliation with any security software or research firm? You don't have to answer if you don't want to.

As for my reasons...
My statement:

Was premature and based on what appears to be the status quo in the software security bug business.
If it is okay for big corporations to behave this way, then it should be okay for small companies to do the same.
But justice favors the rich, and after thinking about it more, I do see several problems with the business model.
And two wrongs don't make a right.

They should deal with a trusted intermediary like iDefense or Secunia to allow for independent verification and not make it public like this.

I agree.

I agree.
At what point would you believe his claims and reports?
If he reveals 100% of the bugs, how does he make money?
What percentage would be enough for you to believe his claims, 10%, 25%, 50%?

You know, I am glad this topic came up so we could learn about it.
I hope Matousec can make a viable business that can be profitable and still take the high road because I think they are professional and talented.
I hope Matousec goes out of the blackmail business.

 

Who organised the TALENT SEARCH? The knowledge of bugs and vulnerabilities of security software products is not exclusive to Matousec.

For those eager to cheer and applaud the BUGS FOR SALE business( i mean blackmail) model, why not just buy the bugs yourselves and threaten to reavel them unless Matousec pays you too?

 

very fair comment,i don't know what business or profit making skills are being talked here to su[pport a stupid review...

You make certain wild allegations and ask security vendors to buy them..but on what basis??
Is their any credibilty to his claims?
I don't think so!

Well all i can say is best of luck to people who believe in such reviews,well i am definetly not going to believe on a review until it has some facts to support it.

 

This may all have been just an elaborate job resume.
I am sorry to say that I fell for it at first.

It is BUGS FOR SALE and that is WRONG no matter who does it or how it is disguised.
There are honest alternatives already shown in this thread.
They have gotten more attention than is deserved. I removed my link to them.

Ngwana and Legendkiller,
Thank you for helping me to see through all the Matousec lies.