Reply to post: Re: Wouldnt work - without some modification.

Spanking the pirates of corporate security? Try a Plimsoll

veti Silver badge

Re: Wouldnt work - without some modification.

1. Yes, precise rules remain to be specced. Who decides what industry your company falls into? How do you decide what level of fines should be applied to it? If someone finds a hole in the website of (e.g.) a hotel, that allows an intruder to double-book, it seems unreasonable to charge thousands of dollars - or even many hundreds - for that. On the other hand, a similar exploit for an airline would be more serious (because it would expose the airline to security threats that have no real relevance to hotels). Likewise, there needs to be flexibility in the timeframe allowed for the victims to fix their problems. Not every system has to be taken offline immediately, or fixed within 48 hours of notification. Who makes all those rules, and how?

This is a non-trivial problem, and one I can imagine sinking the whole idea once you get into the nitty-gritty of it. But it's not self-evidently insurmountable.

2. This is not a problem. If the BOFH blows the whistle on a particular issue, that's good, because it means the company is now motivated to do something about it. If they threaten to blow the whistle, that's even better, because it means the company is motivated without having to pay off the bounty.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon