Having been *a little* bit involved with product development and testing in my time, and being kind of ultra-cognizant of security most of the time, I often wonder about the "No Free Bugs" movement and why it exists.
Why don't companies pay security researchers to find security holes in their products? It seems like a win-win to me.
- By paying the researcher in exchange for signing an NDA (that specifies no disclosure until there's a fix - with a fixed end date, of course!), you get more control over disclosure - less likely to have a pissed off researcher telling everyone about it, plus you've got legal recourse.
- The researcher gets cash, cred, *and* fodder for the security con circuit.
Win-win! Maybe I'm looking at it too simplistically? Is it that researchers don't want to do this? Or corporations don't want to bother? Or don't trust the researchers enough?
External auditing firms are great for CYA, but expensive and still do miss things. Seems to me like augmenting your 'professional' review and internal QA with a few scrappy, bright researchers who are highly motivated to break your security is the ultimate CYA when developing secure products. Each and every layer you can add makes your product stronger and secures yourself against liability.
Update - See, Google gets it!