Disclosure: vulnerability pimps? or super heroes?

[michaelslists at gmail.com (Michael Silk)]

On 2/28/07, Gary McGraw <gem at cigital.com> wrote:
> Hi all,
>
> The neverending debate over disclosure continued at RSA this year with a
> panel featuring Chris Wysopl and others rehashing old ground.  There are
> points on both sides, with radicals on one side (say marcus ranum)
> calling the disclosure people "vulnerability pimps" and radicals on the
> other saying that computer security would make no progress at all
> without disclosure.
>
> I've always sought some kind of middle ground when it comes to
> disclosure.  The idea is to minimize risk to users of the broken system
> while at the samne time learning something about security and making
> sure the system gets fixed.


I think havning extremists is a good thing. Forces people to re-evaluate
their position and actually do things, instead of having a disucssion about
it. Without that there would be middle grounders sitting around wondering
about the best approach. With the extremists these middlegrounders have to
react, or at least companies do. Which is only good.


Disclosure is the subject of my latest Darkreading column:
> http://www.darkreading.com/document.asp?doc_id=118174
>
> What do you think?  Should we talk about exploits?  Should we out
> vendors?  Is there a line to be drawn anywhere?



I think if you find an exploit do what you personally want. If I had time to
research them, I'd probably be pimping them out for as much as I could; why
not? I can decide. I found it. Same to you, with what you found.

The only line will come if some authority in some country makes it illegal
to sell them. And obviously there would be incredible difficulties in
isolating that, IMHO.


gem
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> book www.swsec.com



-- mike (s1, s2, s3) ;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070228/5d32d73d/attachment.html