Firewall Wizards mailing list archives
Re: Sardonix Security Auditing Portal
From: Crispin Cowan <crispin () wirex com>
Date: Thu, 07 Feb 2002 23:57:59 -0800
John McDermott wrote:
I would suggest adding points for providing the fix, or at least *a* fix, even if the fix is not adopted by the code's maintainer.
I like it. I don't think it should be huge points, but I like it.
True, a report of "it segfaults when you do this" is less useful than it could be. Also, discovering that a program can be made to segfault with big/random inputs is not exactly a *source*code* audit.This removes some of the work from the maintainer and encourages the auditor to not only discover problems, but to also discover the specifics of the problem and how it might be fixed. I can see, for example, an individual beating on a tool until it fails and making a report that with a particular input stream or whatever, the tool fails. Actually finding what is wrong is important so encouraging the finding of a fix might be something to reward.
However, it is the case that it is often a short walk from discovering a seg fault to discovering a buffer overflow or a format bug.
We reward auditing tools by listing them in our Auditing Resources page http://sardonix.org/Auditing_Resources.htmlAnother possibilty might be to award points for the creation of auditing tools. This is, in general, a hard problem (or else we'd all just test our code with the one true audit program and the site would not be necessary). Rewarding good tools might encourage some of the research necessary to get such tools created.
Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html The Olympic Games: A Century of Corruption and Graft The FIS: Crushing the soul of snowboarding _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Sardonix Security Auditing Portal Crispin Cowan (Feb 05)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)
- Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 08)
- Re: Sardonix Security Auditing Portal Paul Robertson (Feb 08)
- Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 09)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)