TippingPoint (owned by 3Com) and iDefense (owned by Verisign) are both offering bounties for disclosure of vulnerabilities. Both firms apparently intend to reveal the disclosures to the affected vendors, rather than to the public. Mozilla has for some time been paying $500 per bug found.

And of course there are numerous other organizations looking for flaws in everyone’s code; many of these organizations won’t tell the vendor first.

Maybe it’s better to encourage as many friendly eyes to look at your code so they’ll tell you before somebody else uses a vulnerability as an exploit or tells the public before they tell you. Hm, this sounds a lot like open software.

-jsq