Dailydave mailing list archives
Speaking about a market for vulnerabilies
From: Dick Power <dickpower () gmail com>
Date: Fri, 4 Mar 2005 17:55:14 -0500
It seems to me that the likelyhood of 200 VSCs forming (Chris's earlier suggestion) is discredited by this very article on iDefense. Seems more like maybe 2-4 VSCs might exist, functioning as a focal point for researchers to make some quick cash selling their bugs to established players. Also, what dgeer proposes is a lot closer to extortion but has a valid underlying point. Information has value that decreases as the number of people with that information increases. There's value in being first to know and THAT is the basis of the VSC. This is something mudge was claiming years ago. Taken to the extreme that geer offers might actually be extortion but it seems like VSCs can have 1-2 tiers of membership (ie., 0days, then perhaps 30days, then perhaps pdays where public release is made) without getting too far into the realm of extortion. Large vendors might pay BIG bucks to see the latest vulns, even learning off the vulns of their competition to make sure their products are not vuln to the same thing. Then the smaller players can come in and still impress folks that they're "in the know". Finally, the general public is advised so that it becomes difficult for vendors to sweep these bugs under the rug as public release does seem to do. One final note to mr. geer - as you have stated in the past, complexity is the enemy of security. Why is it every time you write about security your geer-speak is so complex that it seems to take the better part of a day to get to your (always brilliant) message? I feel like I'd become enlightened if I had a year to decipher the volumes you've written. Perhaps a morsel of that brain power might be directed at simplifing your communications to a point that those down in the trenches stop looking up at your posts like they're some sort of message from outer space... heh, just a thought from an ardent admirer who still has problems spelling and hates to have to save-off 99% of your messages for that day that I have time to perform crytanalysis on them; and hates to see you get so much shit (publicly and privately) every time you hit SEND. Dick Power Free-lance Incident Responder pr0n producter/director _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Speaking about a market for vulnerabilies Chris Wysopal (Mar 04)
- <Possible follow-ups>
- Speaking about a market for vulnerabilies Dick Power (Mar 04)
- Re: Speaking about a market for vulnerabilies dan (Mar 07)