Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Speaking about a market for vulnerabilies

From: Dick Power <dickpower () gmail com>
Date: Fri, 4 Mar 2005 17:55:14 -0500
It seems to me that the likelyhood of 200 VSCs forming (Chris's earlier
suggestion) is discredited by this very article on iDefense.  Seems more
like maybe 2-4 VSCs might exist, functioning as a focal point for
researchers to make some quick cash selling their bugs to established
players.
                                                                                
Also, what dgeer proposes is a lot closer to extortion but has a valid
underlying point.  Information has value that decreases as the number of
people with that information increases.  There's value in being first to
know and THAT is the basis of the VSC.  This is something mudge was claiming
years ago.  Taken to the extreme that geer offers might actually be
extortion but it seems like VSCs can have 1-2 tiers of membership (ie.,
0days, then perhaps 30days, then perhaps pdays where public release is made)
without getting too far into the realm of extortion.
                                                                                
Large vendors might pay BIG bucks to see the latest vulns, even learning off
the vulns of their competition to make sure their products are not vuln to
the same thing.  Then the smaller players can come in and still impress
folks that they're "in the know".  Finally, the general public is advised so
that it becomes difficult for vendors to sweep these bugs under the rug as
public release does seem to do.
                                                                                
One final note to mr. geer - as you have stated in the past, complexity is
the enemy of security.  Why is it every time you write about security your
geer-speak is so complex that it seems to take the better part of a day to
get to your (always brilliant) message?  I feel like I'd become enlightened
if I had a year to decipher the volumes you've written. Perhaps a morsel of
that brain power might be directed at simplifing your communications to a
point that those down in the trenches stop looking up at your posts like
they're some sort of message from outer space...
                                                                                
heh, just a thought from an ardent admirer who still has problems spelling
and hates to have to save-off 99% of your messages for that day that I have
time to perform crytanalysis on them; and hates to see you get so much shit
(publicly and privately) every time you hit SEND.
                                                                                
     Dick Power
     Free-lance
  Incident Responder
pr0n producter/director
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: