The Linden Lab reaction on finding exploits

1 08 2006

Things are on the move… and somewhat different..

After just one week of the latest exploit found (and the resulting downtime for fixing it last weekend) and people wondering what the actual official way for exploits to be reported is, Linden Lab presented yesterday their new mechanism of reporting those.

In a blog post of Brent Linden he explains that in the upcoming update (to be deployed tomorrow) they will add an “Exploit” category to the bug report page. This immediately leads to a notification to him via email and phone so hopefully a quick reaction can be expected. There are several strings attached for when this report option should be used which can be read in this post.

Additionally Linden Lab offers a bounty of L$10,000 (about US$30,-) for those residents who report an exploit first. This bounty is per resident and not per exploit and it will be time-limited.

My thoughts on it

All in all I think it’s a good move (although we should see how good it works in practice first). But nevertheless some other remarks:

  • IMHO having just Brent looking over it at whatever time of the day seems not really like the way to do. There should be some team and eventually around the globe to serve certain time zone problems (as long as we haven’t finally get rid of those that is). I don’t know though if there’s any dev somewhere else than SF. But at least for first level support some people could possibly be trained.
  • Having only L$10,000 once per resident might not really lead to a exploit hunting (besides that it’s not that much money in RL). I don’t know though how much exploits they expect to be found😉 Better would IMHO be to pay per verified incident and maybe even give that reporter some fame.
  • Most users don’t read blogs and so they might not know about the strings attached when marking a bug as “exploit”. This might lead to unnecessary wakeup calls to Brent and eventually even to abuse reports against those residents. Some UI work seems missing here.
  • most of this will happen silently. So this means that a) we cannot really judge how good it works and b) there might be some missing incentives here like there would be if I’d know person X is a great bug hunter. So I hope that LL will at least publish some statistics on what has happened from time to time (doubt it, though).

What I now actually still would like to know is why Cristiano was banned. This issue is somewhat related and so far we only know Cristiano’s point of view. But that’s some stuff for another post.

Technorati Tags: , , , , , ,



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: