funsec mailing list archives
Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws
From: Matthew Murphy <mattmurphy () kc rr com>
Date: Mon, 28 Aug 2006 21:38:25 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Josh Bressers wrote:
I did the same thing with vulnerabilities I found before I came to TippingPoint, and others (notably eEye) also engage in this practice. Calling it extortion is completely out of line, IMO.What does this practice accomplish though? As an outsider it seems that the goal here is to frighten people into purchasing your service lest they be compromised.
I engaged in this practice before I was hired by TippingPoint. If you're an individual or organization with enough visibility (which I probably was not, but TippingPoint is), it can really turn heads to name vendors whose products have had vulnerabilities go unremedied for extended periods of time. The sheer number of vulnerabilities acquired and the severity of the issues that ZDI deals with means vendors who end up with vulnerability reports consistently lagging in queues at TippingPoint may have a PR problem on their hands. The researchers who contribute to the ZDI are aware of this, and as a result, this type of "pipeline" information was widely requested of us. We also gain from having the TippingPoint name associated with the publicity that the public reports generate. The calculation is not one of: "If we don't buy TippingPoint, we'll be compromised." That's not our goal. 3Com shares the details of issues acquired through the ZDI program with other security vendors (including competitors) for use in their products, if they can meet a minimum standard for resistance to reverse engineering of the vulnerability information. What we DO want customers to recognize, however, is that TippingPoint is the only company out there who's willing to put our money where our mouth is and go after the best threat information we can buy. While you shouldn't take what I've said here as official (I don't speak as a company rep), I believe TippingPoint has much to gain from putting information out there in an aggressive, yet responsible manner. I also believe that TippingPoint's end goal is not to inspire fear in competitors' customers, but confidence for our own customers that we go the extra mile. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) Comment: New (15 May '06) Key: Fetch from pgp.mit.edu; ID=0x2257C33F iQIVAwUBRPOorXXzqEAiV8M/AQrufRAAp9oTVbw70xRoCapochaLumsUiZnPjmCR XYeF5lsz0HEBUoVGQmu4/Q5hK7dK+UJ2KKdMSx2GpGaF8rqiy+A7IWh146P6dbDF 4MhKMMrIR9MzRjIVaaBilvuWDCCb6H3s8/GEg+g9eoUmzbfYVSuFAGHvAngYgEfr SOXVyA8s/4mQvrDlAB9BjGx86U2iHb5QCetB6cjWx2QcFF1aRHO1abk+W2w8LZDC BCAE+dJYSfBNCj+z+BcF6goFl8m8T9rt5FEGdkXc975lE8ojf6vr/+RJCex3W5eP mXHtanKKKj1w3129ZUsisFnFscTRjByi4QFMvJXgDF1dbhF4SpUdQ90/rKteOwBG Uy6Zvjmy3SS5Qh55UpCg3Sj4T9UjA9ZAt51GElp3er8sE/Z44jny05B2oocfgMWE 6Kj3n9sgH1Ka6zDcyB3fTkP29XK59i6L0oJLAX+FyojRdz2SA1wzx69M6+gPf99j 2AC9k+r2Kb7alszh87vvcf5LtKVVmaeVLuH5phQ88VMFOo+JIKm+rX0P7ODx7OdX jUQtH3y5lOE9MbiRuo5PNAbOGBU8w3lBhU71tMR4YjH9oSUPtJKCtDRN+sLAubYg reH4AkKWxpY1JXP6S315oJyWJ9LaMMAsi75+ELFwLr2mGozt1aGb217DK1bBKpeV JTB82fakYy4= =pOnT -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Fergie (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Matthew Murphy (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Josh Bressers (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Matthew Murphy (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws ric k (Aug 30)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Michal Zalewski (Aug 28)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 29)
- Re: TippingPoint's 'Zero-Day Initiative' to Publish Unpatched Flaws Dude VanWinkle (Aug 28)