Should we pay hackers to find bugs?

In new Jersey, you must pay an attendant to pump your own gas. In the IT world, you pay for hardware, software, and support. Intellectual property and labor is worth something to everyone else, so why shouldn't this apply to technicians working on faulty and defective software. So if the technician is a "hacker", does that make their time and effort worth any less? What is the material difference between intellectual property of a "hacker" and anyone else? Just a thought: Perhaps "hackers" could obtain patents on the fixes to the software/hardware/system instead? Then they could file an injunction if someone fixes their buggy system. (More rediculous things happen now!) Oh my!

"Hackers should not be paid to find bugs. Instead, when caught, they should be held within an inch of their lives if the don't release their known exploits. Hacking is, most certainly, taking its toll on our already ailing economy in terms of lost productivity across all areas of IT." LOL Thanks! That's the funniest thing I've read in WEEKS!!! You call yourself a conservative??!!! What about the free market? What about the real problem--people who continue to buy buggy software from companies that won't check their stuff before releasing it? Don't the purchasers deserve a product that is both safe and functional? The government and the individuals would drop like anvils from the sky on a car maker who put out anything as dangerously defective as most commercial software. And it's not CHEAP either, I've paid $500,000 and up for software that barely functioned and it was the BEST available of it's type. We don't fry mechanics who find flaws in cars, we shouldn't take the rights away from users who find problems either. How much is a bug worth? Depends upon the bug--those spelling errors and incorrect error messages aren't worth much, but how much does MS and it's customers stand to lose if an OS security hole is sold to the black hats? Millions? Billions? It is valuable information, and the owners have the right to do as they please with it--including give it to the manufacturer or sell it to the highest bidder. The industry and the users have a long, long history of being warned about security problems, and refusing to pay attention to the warnings. Remember ATMs? They were in the field in operation for months before any bank even bothered to insure them, and much longer before they encrypted the traffic. It's the economics of acceptable losses. If I were still hacking systems, and found a decent exploit, I'd send it to several attorneys certified mail, with instructions to hold them until called by the software company. Then when it broke in the news that the exploit existed, I'd send a letter to the company telling them to call the attorney and ask for their letter. Then it should be very easy to calculate EXACTLY what the time-value of that bug was. Besides, if you made it illegal, then a company which released a program with known vulnerabilities (unreleased) would be subject to both legal and civil claims. Frankly, I started trying to warn people about this stuff 35 years ago, and no one wanted to listen. Same with the 1999-2000 roll-over, management didn't become serious about it (except in the mortgage industry, which dealt with it decades earlier,) until the last 6 months, when they looked at the reports they'd been getting for months and months, and found out that, gee, 2000 was the end of NEXT quarter and they weren't ready. Whereupon most of them did exactly the wrong thing, and threw more manpower at the project, a fix known for decades to be ineffective at best, and counter-productive at worst. If the white-hats ever turned even gray, business world-wide would lose ordres of magnitude more than it does now, as most of the best hackers are also honest. (If they weren't, you would have seen banks being robbed in the late 70's by computer. The trick that cost Pacific Bank $12 million by wire transfer was trivial. And 9/11? Please, the ATC system is an antiquated joke, even after updating. Program a plane to fly anywhere if you can get in the auto-pilot--which these days is an entire computer system. A company that won't pay to put out quality work, deserves to have anything that can be done to them, done. You either pay up front, or you pay later--but you ALWAYS PAY. It's CHEAP to hire QA people. It's expensive to lose your life savings because you trusted a product with known defects. How much is an exploit against Server 2003 worth? 20-100x as much as the black hat offer. How much do the white hats want for that kind of information? A LIVING WAGE! Which is cheaper? Note that MS lost money on Vista & even on XP to Linux because MS has a really awful record for putting stuff out that has MAJOR bugs which the hackers usually locate in less than a month. Sooner or later, a government will decide that it is a crime to release software with certain types of bugs, just as every other product sold has some sort of safety requirement. MS just lost at least 80 million Pounds of UK government business to open-source freeware. More will follow, if only because of cash shortages. In the 60's programmers were very expensive, and machines were hideously expensive. Now, the same equipment level is hardly available, as the cheapest laptop out there is under $300 and does many times more things at much higher speed than any machine out of the 60's. Programmers are cheap. EXPERT programmers who write code that works without problems, are worth much, much more, but it is difficult to get any company to recognize that one person can be worth orders of magnitude more than another. A single hacker for one day can be worth more to your company than an IT department with 500 programmers for the year. If he/she is lucky, they might make 1% of that value, if they can get a job. I don't know if we've had any software hacks which killed yet, but we will. We've had errors which have destroyed millions of dollars worth of space-craft. Do you really think that all of the newly computerized equipment (down to and including your toaster,) won't get hacked? How do you prosecute someone who makes a car's GPS direct them into the lake from an unknown location? This is the same mentality that won't put in a stop sign unless someone dies, even when it is obviously dangerous not to have one. Finding exploits & bugs takes talent, education and time, all of which should be compensated, just like the butcher baker & candlestick maker. One hacker, actually using one exploit, can illegally make hundreds of millions and retire. Your answer is to force them to work for free? Bound to work. We've had marijuana illegal in the US for over 70 years and yet, somehow, it is still a top cash crop in all 50 states. We can't stop that, and most of it grows out in the open. How will you FIND, much less prosecute someone who refuses to release information that you don't even know they have?

This is a great idea; though it's not without problems, it should happen.