Secure Coding mailing list archives
Disclosure: vulnerability pimps? or super heroes?
From: coley at linus.mitre.org (Steven M. Christey)
Date: Mon, 5 Mar 2007 14:36:01 -0500 (EST)
On Tue, 27 Feb 2007, J. M. Seitz wrote:
Always a great debate, I somewhat agree with Marcus, there are plenty of "pimps" out there looking for fame, and there are definitely a lot of them (us) that are working behind the scenes, taking the time to help the vendors and to stay somewhat out of the limelight.
Do the people who write the books to avoid the vulns, sell the tools, and give talks at conferences stay out of the limelight as well? What about all those podcasts? They should be discounted too, since they're clearly pimping something. They must have ulterior motives. Don't get me started on those rabble-rousers who complain about voting machine security. Not that I don't have issues with how disclosure happens sometimes, but the anti-researcher sentiment that castigates them based on "looking for fame" by people who are themselves "famous" strikes me as a bit hypocritical. Why do we know that Marcus designed the White House's first firewall? 'cause he told us, that's why. We're very lucky that assumed fame-hunters like Cesar Cerrudo and David Maynor have decided that they won't bother telling the vendor about vulns they find because of all the trouble it gets them into. It's quite unfortunate that Litchfield has almost single-handedly dared to question Oracle's claim that it's unbreakable. Perhaps we would prefer that these pimpers stop giving us disclosure timelines that show that they notified vendors about issues months or YEARS before the vendors actually got around to fixing them. We can go back to security through obscurity, the old fashioned way, by lawsuits and threats. Like what happened at Black Hat last week, but with less press. Basically, I have an issue with the criticism of this aspect of researcher "pimpage" when it's usually the pot calling the kettle black, when most of us are getting paid one way or another for this work, and there's a pervasive inability to recognize that many such researchers feel forced to disclose when the vendor still does nothing. And many researchers aren't in it for the fame, which is the assumption that the pimpage argument is based on. Sorry, must be a case of the Mondays combined with this building up over a year or two. The vuln researchers are the only parts of this business who get no respect. - Steve
Current thread:
- Disclosure: vulnerability pimps? or super heroes? Gary McGraw (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? J. M. Seitz (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? Blue Boar (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Stuart Moore (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Michael Silk (Feb 27)
- <Possible follow-ups>
- Disclosure: vulnerability pimps? or super heroes? Gary McGraw (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Kenneth Van Wyk (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Blue Boar (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Kenneth Van Wyk (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? J. M. Seitz (Feb 27)