Dailydave mailing list archives
RE: vuln research/disclosure paper from eEye
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 19 May 2005 18:19:50 +0200
Hi Chris, Yep, I'll take the heat for that, since I wrote it. :) I have (and always have had) great respect for l0pht while it was l0pht. You were, as you say, selling product before eEye. So were ISS, and a lot of other people. The l0pht / Schneier PPTP paper in 1998 was one of the seminal works of formal security analysis. I was focusing, however, on paid commercial vulnerability research teams, and I said "LIKE... blah blah". I'm also happy to admit that we weren't the first company ever to post vulnerabilities - my paper was supposed to be vaguely factual, so what do you expect? If you think that there are material errors in my paper I'd like to discuss it. Please don't take this as dissing l0pht. In fact, Dave has more reason to be upset than you, since I am less than rosy about vulnerability sharing clubs in the paper - although I like to think I am balanced. So. All flames my way. I'm a big boy, I can handle them. If you can show me that I have flat-out lied or been misinformed then I'm ready to apologise. And again, I was not trying to trivialise any of the contributions that you guys or hundreds of others made to security in the '90s - and if you take the whole paper in context then I like to think that is clear. Cheers, ben
-----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Chris Wysopal Sent: Thursday, May 19, 2005 5:13 PM To: dailydave () lists immunitysec com Subject: [Dailydave] vuln research/disclosure paper from eEye Zero Day: Vulnerability Research, Disclosure and Ethics By: Ben Nagy Senior Security Engineer eEye Digital Security http://www.eeye.com/~data/publish/whitepapers/research/OT20050 512.FILE.pdf Dave's favorite topic, I know. What caught my eye was: "The first professional research teams were created in the late 1990s by innovative commercial vendors like eEye Digital Security and ISS - at last presenting a legitimate way for researchers to find software vulnerabilities for a living" I guess L0pht wasn't commercial enough for them even though we were selling software and had 4 fulltime employees years before eEye's first product was for sale. L0pht along with Cerberus Information Security, CORE SDI, Secure Networks, Inc., and yes, ISS really paved the way. I am probably missing others. Zero Day: Vulnerability Research, Disclosure and Ethics By: Ben Nagy Senior Security Engineer eEye Digital Security http://www.eeye.com/~data/publish/whitepapers/research/OT20050 512.FILE.pdf -Chris _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- vuln research/disclosure paper from eEye Chris Wysopal (May 19)
- RE: vuln research/disclosure paper from eEye Ben Nagy (May 19)