Michael Sutton Quotes

We're not aware of any public exploit code for it at this time. - Michael Sutton

We pay people directly for their submissions, and then we also have various programs to reward our loyal contributors and keep them working with us. This is our latest effort to further reward them. - Michael Sutton

This is relatively easy to exploit. It takes some degree of social engineering -- the attacker would have to draw people to a malicious Web site -- but after that, there's no further intervention required. An attacker could leverage this to write to a file on the hard drive. And once you can write to a person's machine, you have full control. - Michael Sutton

There's always code reuse in development, which is a good thing. No one writes an entire application from scratch. But if you're using someone else's code, you're relying on the security of that code. Developers need to apply the same level of security testing to those shared pieces as they do to their own code. - Michael Sutton

There is some irony there. - Michael Sutton

The vulnerability still exists in Internet Explorer in that it's very lenient in how it pulls CSS, but right now nobody is publishing a way that it can be leveraged to do something useful. That's not to say that somebody won't find a way. I'm sure somebody will come up with a creative way to leverage it to do something evil. - Michael Sutton

The only model that makes no sense to me is the altruistic model. The vendor wants the researcher to do his code review for free and that doesn't quite fly. They are profiting from the vulnerability information but they don't want to pay for it. - Michael Sutton

The nice thing is that a third party that has nothing to do with [the VCP] is deciding what the criticality is. We're still signing the contract with the researcher and we're still paying the fee for the specific contributor, but we're saying that if it results in a critical bulletin, there's a $10,000 bonus on the table. - Michael Sutton

Page 1 of 3

Next -> Last ->>