funsec mailing list archives

Re: Security research vuln pimps

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 26 Apr 2010 14:36:41 -0700

This is a whiney argument for purported security-by-obscurity, and it
completely ignores the possibility of independent discovery.


If my memory serves me right, I found over 200 vulnerabilities, pretty
much all of them in high-profile client- and server-side apps. This
makes me think I have a pretty good body of evidence to work with.

Now, with this in mind: let me categorically assert that *none* of
these findings I would attribute to my amazing brilliance, divine
intervention, or any other unique circumstances.

A vast majority of them were just a result of the security community
reaching a certain body of critical knowledge - having a better
understanding of what can go wrong, where to look for it, and how to
automate the testing with simple fuzzers and similar validation
frameworks... and then simply picking an obvious target to go after.
Another interesting data point: in my experience, when you do this
with sufficiently buggy application, most of the problems you find
would turn out to be dupes of what other researchers discovered weeks
or months earlier.

I suspect the same pattern applies to a vast majority of my peers,
though not all of them are ready to admit it readily that their
expertise is really not that unique.

Unfortunately, grandstanding on this front makes it easier for vendors
to promote the view that a researcher, by the act of reporting a
weakness in their code, actually created a threat - and has an
obligation to wait for a fix before reaching out to the public. And as
"responsible disclosure" gains more ground in the community, the
duration of this wait is stretched to routinely mean anywhere from
half a year to 2 years or more.

In fact, I have several pending, high-risk vulnerabilities with
leading software vendors open for 6+ months... and given the fact that
the commercial vulnerability trading is also rapidly expanding, it
really does not make me feel very comfortable.

/mz
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
  - Re: Security research vuln pimps Dave Paris (Apr 26)
- Re: Security research vuln pimps Rich Kulawiec (Apr 26)
  - Re: Security research vuln pimps der Mouse (Apr 26)
  - Re: Security research vuln pimps Michal Zalewski (Apr 28)
- Re: Security research vuln pimps Jeffrey Walton (Apr 26)
  - Re: Security research vuln pimps Peter Kosinar (Apr 26)
    - Re: Security research vuln pimps Hubbard, Dan (Apr 26)