help needed with DotGNU security review (was Re: ..researchers org..)

[Norbert Bollow <nb () SoftwareEconomics biz>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Crispin Cowan <crispin () immunix com> wrote:

> A subtle distinction may be the root cause here: Sardonix seeks to 
> change the research model from "find a bug, win a prize! (fame & glory 
> for half a day)" to "audit software, report what you find, and win a 
> reputation for the long term." Having a pile of audited software is 
> *much* more useful to admins than an endless stream of "gotcha again!" 
> advisories. But from the lack of response from security investigators, I 
> conjecture that "find a bug, win a prize!" is more fun to do, and so 
> that's what investigators choose to do.

Hmm...  I'd say that from the admin's perspective, the main problem
with the "find a bug, win the right to publish an advisory" system
of non-monetary rewards for finding security vulnerabilities is that
it tends to happen only after the software in question is widely
deployed, so that the endless stream of "gotcha again!" advisories
means endlessly having to upgrade the same software over and over
again.

How should I go about trying to find people who are skilled in the
area of finding security bugs, and who would be willing to have a
good look at key components of DotGNU (see http://dotgnu.org ) before
they're widely deployed?

In particular, right now it'd be good to have skilled "security
review" help with DotGNU Portable.NET in these areas:

 * checking the adherence of the bytecode verifier to the published
   spec and security conditions

 * range-checking of all values that need it

 * environmental security - controlling access to system facilities
   such as files, network, preferences, etc

We're interested both in documentation of problems, as well as in
documentation of things that are not problems.  Discussion of these
and related matters is welcome on the pnet-developers mailing list,
see http://dotgnu.org/mailman/listinfo/pnet-developers .

Nota bene, we're aware that Portable.NET still lacks certain security
features, especially in the area of environmental security, and we
can use help with identifying all of the places where security will
need tightening for both app usage and applet usage.

Greetings, Norbert.

- -- 
Founder & Steering Committee member of http://gnu.org/projects/dotgnu/
Free Software Business Strategy Guide   --->  http://FreeStrategy.info
Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland)
Tel +41 1 972 20 59        Fax +41 1 972 20 69       http://norbert.ch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/vAiZoYIVvXUl7DIRAuQXAJ9OEk01Y9PfH+mdhhHkwlOq4H7U+wCff8E+
DqUw0XnUW6NkaBycJ180q0U=
=PUiL
-----END PGP SIGNATURE-----