Re: Security research vuln pimps

[Jeffrey Walton <noloader () gmail com>]

Hi Dan,

On Mon, Apr 26, 2010 at 12:18 PM, Hubbard, Dan <dhubbard () websense com> wrote:
> [SNIP]
>
> This begins with setting a few principles and regularly using more accurate
> descriptors in our publications and daily conversations....
> We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use
> the following definitions:
>
>    * Security Researcher: One who studies how to secure things and/or how
>        things are not secure in order to find a solution.
>    * Security Practitioner: One who applies the findings of the Security
>        Researcher in order to make things more secure.
>    * Narcissistic Vulnerability Pimp: One who - solely for the purpose of
>        self-glorification and self-gratification - harms business and society by
>        irresponsibly disclosing information that makes things less secure
>        (or increases risk).
>    * Criminal: One who actively subverts security without authorization or
>        deliberately creates ways for others to do so.

You are missing at leats 3 definitions so that topics can be
succinctly discussed:
(1) The company which produces the software/hardware and does not
correct security related deficiencies in a timely manner.
(2) The third party which purchases or obtains security related
deficiencies in an effort to promote 'Responsible Disclosure'.
(3) The third party which claims to purchase or obtain security
related deficiencies in the name of  'Responsible Disclosure', but
does not encourage the company which produces the defective
software/hardware to fix the problem. Hence, everyone loses except the
company which produces the defective software/hardware, and the
company which obtained the deficiency (and which probably profits from
a value added service).

For example, CVE-2009-2502 was reported to Microsoft in 2007 by a firm
which buys bugs to save everyone from 0-days. Microsoft probably knew
about the 2502 bug earlier, since the GDI+/JPEG vuln was made public
in Microsoft Security Bulletin MS04-028 (I'm making the leap that
Microsoft performed additional audits on the GDI+ module when reports
started arriving). Yet the bug was not fixed until 2009 (almost 2
years). See http://seclists.org/fulldisclosure/2009/Oct/196.

Surely the company which did not fix the deficiency in a timely manner
(Microsoft) and the vulnerability broker which did nothing to
encourage a timely fix (iDefense) should have an appropriate
definition (its seems the 'irresponsibility' got turned on its head).
The best I can tell from the disclosure, iDefense to great pride in
the fact that it reported the bug in 12/2007, and coordinated the
disclosure in 12/2009.

> [SNIP]

Jeff

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.