Penetration Testing mailing list archives
RE: Things to do before vulnerability disclosure
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 19 Jun 2009 14:08:07 -0400
This isn't a topic I really know much of anything about. But it seems to me, that if there were no "good guy" researchers, then bad
software
would be penetrated and makers of bad software would die quickly.
We've learned from past experience that individual penetrations don't harm vendors of vulnerable software. Pretty much the only thing that does is wide-spread automated attacks like a worm. So for a vendor whose market share isn't large enough to support a worm, it's unlikely that they feel any adverse affects from software vulnerabilities in their products without some form of public disclosure.
My question is, could it be that vulnerability research by the "good guys"
simply
allows companies to release crappy code and receive free support from the
community? Absolutely. But without the research, those same companies would release crappy software. The support from the community is really also support FOR the community that must subsist on their crappy products. That's why disclosure is such a mess - the vendors are terrible middle-men for the process because they are disincented to make it work. Even if they take a beating with their customers, actually managing vuln reporting and remediation is against their best interests. Releasing software that their customers believe to be secure is what they need to do. That's why Microsoft threw orders of magnitude more money at SDL than they did at growing MSRC. The return was in better new code, not fixing old code. PaulM ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Things to do before vulnerability disclosure, (continued)
- Re: Things to do before vulnerability disclosure Geoffrey J Gowey (Jun 15)
- Re: Things to do before vulnerability disclosure Justin Ferguson (Jun 15)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 16)
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 16)
- Message not available
- Re: Things to do before vulnerability disclosure Jeremy Brown (Jun 17)
- Re: Things to do before vulnerability disclosure Aarón Mizrachi (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 17)
- Re: Things to do before vulnerability disclosure Jeffrey Walton (Jun 18)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- RE: Things to do before vulnerability disclosure Nick Vaernhoej (Jun 18)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 20)
- Re: Things to do before vulnerability disclosure Geoffrey J Gowey (Jun 15)
- RE: Things to do before vulnerability disclosure Paul Melson (Jun 17)
- Re: Things to do before vulnerability disclosure Adriel T. Desautels (Jun 18)
- Re: Things to do before vulnerability disclosure Giuseppe Fuggiano (Jun 19)