> I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem
Aren't the issues not found by Oracle the problem? I'm amazed that stil 23% of the externally found security issues are reported by researchers, the incentive to responsibly disclose security issues to Oracle isn't really big. It sounds like a cumbersome process with potential legal consequences.
There also are researchers(, maybe after a first bad experience about an EULA,) that sell security issues to the grey/black market. Is there any data on how many Java zero days are exploited in the wild before being fixed?
Changing your stance and being grateful for responsible disclosures and only using your EULA to threaten and sue the bad people can potentially save everyone with java installed from a few zero days at zero cost.
I agree with that point, and think it hits at something bigger. Having a bug bounty doesn't just say 'we give out money for bugs'. It also says 'we have a thought-out programme for handling serious user-reported problems, and we won't reprimand or dismiss you for sharing them'.
You should seriously consider running mono>=2.10 with asp.net mvc. It completely fixes your rails security issues, while still letting you use ruby as your main languages.
Also you gain a _lot_ in security by obscurity and hipster points. I don't know about stability, haven't tried this myself.
Aren't the issues not found by Oracle the problem? I'm amazed that stil 23% of the externally found security issues are reported by researchers, the incentive to responsibly disclose security issues to Oracle isn't really big. It sounds like a cumbersome process with potential legal consequences.
There also are researchers(, maybe after a first bad experience about an EULA,) that sell security issues to the grey/black market. Is there any data on how many Java zero days are exploited in the wild before being fixed?
Changing your stance and being grateful for responsible disclosures and only using your EULA to threaten and sue the bad people can potentially save everyone with java installed from a few zero days at zero cost.