funsec mailing list archives
Re: Security research vuln pimps
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 26 Apr 2010 21:01:43 -0400
Hi Dan, On Mon, Apr 26, 2010 at 12:18 PM, Hubbard, Dan <dhubbard () websense com> wrote:
[SNIP] This begins with setting a few principles and regularly using more accurate descriptors in our publications and daily conversations.... We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use the following definitions: * Security Researcher: One who studies how to secure things and/or how things are not secure in order to find a solution. * Security Practitioner: One who applies the findings of the Security Researcher in order to make things more secure. * Narcissistic Vulnerability Pimp: One who - solely for the purpose of self-glorification and self-gratification - harms business and society by irresponsibly disclosing information that makes things less secure (or increases risk). * Criminal: One who actively subverts security without authorization or deliberately creates ways for others to do so.
You are missing at leats 3 definitions so that topics can be succinctly discussed: (1) The company which produces the software/hardware and does not correct security related deficiencies in a timely manner. (2) The third party which purchases or obtains security related deficiencies in an effort to promote 'Responsible Disclosure'. (3) The third party which claims to purchase or obtain security related deficiencies in the name of 'Responsible Disclosure', but does not encourage the company which produces the defective software/hardware to fix the problem. Hence, everyone loses except the company which produces the defective software/hardware, and the company which obtained the deficiency (and which probably profits from a value added service). For example, CVE-2009-2502 was reported to Microsoft in 2007 by a firm which buys bugs to save everyone from 0-days. Microsoft probably knew about the 2502 bug earlier, since the GDI+/JPEG vuln was made public in Microsoft Security Bulletin MS04-028 (I'm making the leap that Microsoft performed additional audits on the GDI+ module when reports started arriving). Yet the bug was not fixed until 2009 (almost 2 years). See http://seclists.org/fulldisclosure/2009/Oct/196. Surely the company which did not fix the deficiency in a timely manner (Microsoft) and the vulnerability broker which did nothing to encourage a timely fix (iDefense) should have an appropriate definition (its seems the 'irresponsibility' got turned on its head). The best I can tell from the disclosure, iDefense to great pride in the fact that it reported the bug in 12/2007, and coordinated the disclosure in 12/2009.
[SNIP]
Jeff _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
- Re: Security research vuln pimps Dave Paris (Apr 26)
- Re: Security research vuln pimps Rich Kulawiec (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)
- Re: Security research vuln pimps Michal Zalewski (Apr 28)
- Re: Security research vuln pimps Jeffrey Walton (Apr 26)
- Re: Security research vuln pimps Peter Kosinar (Apr 26)
- Re: Security research vuln pimps Hubbard, Dan (Apr 26)
- Re: Security research vuln pimps Peter Kosinar (Apr 26)
- Re: Security research vuln pimps der Mouse (Apr 26)