Dailydave mailing list archives
Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow.
From: Blue Boar <BlueBoar () thievco com>
Date: Thu, 09 Jun 2005 14:01:13 -0700
john blumenthal wrote:
johnb: in the auction model I am proposing the seller would need to describe the vulnerability in order for the buyer to make a qualified decision. This would be similar to the current disclosure model, in that the vendor could be notified that not only the exploit exists, it's going up for auction on date X. In addition, the exploit would need to be verified by the independent auditor (0bay) prior to auction. Participants would get to rank the credibility of the seller and the value of the exploit based on the description and validation.
I've observed that even a description of a vulnerability with no technical details is often enough to put an experienced researcher on the right track. The second researcher refinds the bug described, or finds a similar one in the same area that often devalues the original one. How do you propose to find the balance between the need to describe one's awesome hole for marketing purposes, and the need to keep it exclusive? Note that in the 0bay scenario, the public (I assume) gets to watch the auctions, and so can observe that, say, 10 Oracle exploits were sold last week, and factor that into any planning. Not that the general public seems to make much of a buying decision based on track record, but to the small degree that it does... I imagine knowing that there are N 0day for a product you use has to accelerate that a little.
johnb: As long as license agreements continue to transfer all risk to the licensee I believe we do not have a research model that works. I am researching not what motivates security researchers in reality; I am looking at what suspends basic economic principles in producer-consumer relationships when it comes to software.
Why don't the attempts by software vendors to license away your right to find holes work? It's been tried numerous times now. Each time, the vendor with deep pockets has backed off. Is it really just the outcry that is making them back off? Are they afraid to take EULAs to court? BB _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow., (continued)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. dan (Jun 10)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Matt Hargett (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Thomas H. Ptacek (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Blue Boar (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Matt Hargett (Jun 09)