funsec mailing list archives
Re: Security research vuln pimps
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Mon, 26 Apr 2010 14:36:41 -0700
This is a whiney argument for purported security-by-obscurity, and it completely ignores the possibility of independent discovery.
If my memory serves me right, I found over 200 vulnerabilities, pretty much all of them in high-profile client- and server-side apps. This makes me think I have a pretty good body of evidence to work with. Now, with this in mind: let me categorically assert that *none* of these findings I would attribute to my amazing brilliance, divine intervention, or any other unique circumstances. A vast majority of them were just a result of the security community reaching a certain body of critical knowledge - having a better understanding of what can go wrong, where to look for it, and how to automate the testing with simple fuzzers and similar validation frameworks... and then simply picking an obvious target to go after. Another interesting data point: in my experience, when you do this with sufficiently buggy application, most of the problems you find would turn out to be dupes of what other researchers discovered weeks or months earlier. I suspect the same pattern applies to a vast majority of my peers, though not all of them are ready to admit it readily that their expertise is really not that unique. Unfortunately, grandstanding on this front makes it easier for vendors to promote the view that a researcher, by the act of reporting a weakness in their code, actually created a threat - and has an obligation to wait for a fix before reaching out to the public. And as "responsible disclosure" gains more ground in the community, the duration of this wait is stretched to routinely mean anywhere from half a year to 2 years or more. In fact, I have several pending, high-risk vulnerabilities with leading software vendors open for 6+ months... and given the fact that the commercial vulnerability trading is also rapidly expanding, it really does not make me feel very comfortable. /mz _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
- Re: Security research vuln pimps Dave Paris (Apr 26)
- Re: Security research vuln pimps Rich Kulawiec (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
- Re: Security research vuln pimps Michal Zalewski (Apr 28)
- Re: Security research vuln pimps Jeffrey Walton (Apr 26)
- Re: Security research vuln pimps Peter Kosinar (Apr 26)
- Re: Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps Peter Kosinar (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)