Dailydave mailing list archives
Re: What is the state of vulnerability research?
From: security curmudgeon <jericho () attrition org>
Date: Sun, 19 Feb 2006 02:57:35 -0500 (EST)
On Fri, 17 Feb 2006, Etaoin Shrdlu wrote: : > 1) What is the state of vulnerability research? : : We should first examine what is meant by that topic. Vulnerability : research has come to imply that there is an expectation of a formal (or : otherwise) release of the results of such research. It seems that it is : unusual for someone to experiment in the area of vulnerabilities, and : yet not publish. I note that Forno's survey predicates the role of : researcher as one who publishes, and I see that your questions expect : the same. This is a very good point and one that I imagine was implied as you state. I certainly took this implication in my reply. Obviously there will be public and private research (regardless of what definition is decided). If the nature of private research is to keep it private, or only disclose it in such a way that two parties know the details (ie: your use of anonymous mailers, direct vendor contact), then I don't think we can ever hope to fully know or diagnose what goes on behind closed doors. Hell, seems like we're pretty unsure of what all happens in the public eye too. : There is also the question of what vulnerability research is. Do we : consider every moronic cross site scripting event noted to be a result : of vulnerability research? That is one thing that lead to my original reply and some comments which offended at least one person. It isn't that someone cut and pastes a script tag into an application, gets a pop up box and reports a vulnerability. The thing that irritates me are the ones who don't include enough information for it to be useful (version tested, the actual product, etc), or spend 1 line disclosing and 30 lines of credit, greets and "found and researched by" type lines. Cut/pasting a character into an application isn't research to me. If you cut/paste a character, fully outline the version tested, indicate it is an SQL injection and not just a path disclosure, test all the scripts included, then it becomes 'research' to me. Of course, there isn't some fine line that one crosses over to make that distinction, rather an overall perception.
Current thread:
- What is the state of vulnerability research? Steven M. Christey (Feb 16)
- Re: What is the state of vulnerability research? MindsX (Feb 16)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 16)
- Re: What is the state of vulnerability research? Thomas Pollet (Feb 18)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 16)
- Re: What is the state of vulnerability research? Etaoin Shrdlu (Feb 18)
- Re: What is the state of vulnerability research? security curmudgeon (Feb 21)
- Re: What is the state of vulnerability research? foofus (Feb 22)
- <Possible follow-ups>
- Re: What is the state of vulnerability research? Steven M. Christey (Feb 16)
- Re: Re: What is the state of vulnerability research? MindsX (Feb 18)
- Re: Re: What is the state of vulnerability research? jnf (Feb 21)
- Re: Re: What is the state of vulnerability research? security curmudgeon (Feb 21)
- Re: Re: What is the state of vulnerability research? MindsX (Feb 18)
- Re: What is the state of vulnerability research? Steven M. Christey (Feb 22)
- Re: What is the state of vulnerability research? MindsX (Feb 16)