Secure Coding mailing list archives
Disclosure: vulnerability pimps? or super heroes?
From: michaelslists at gmail.com (Michael Silk)
Date: Wed, 28 Feb 2007 10:18:33 +1100
On 2/28/07, Gary McGraw <gem at cigital.com> wrote:
Hi all, The neverending debate over disclosure continued at RSA this year with a panel featuring Chris Wysopl and others rehashing old ground. There are points on both sides, with radicals on one side (say marcus ranum) calling the disclosure people "vulnerability pimps" and radicals on the other saying that computer security would make no progress at all without disclosure. I've always sought some kind of middle ground when it comes to disclosure. The idea is to minimize risk to users of the broken system while at the samne time learning something about security and making sure the system gets fixed.
I think havning extremists is a good thing. Forces people to re-evaluate their position and actually do things, instead of having a disucssion about it. Without that there would be middle grounders sitting around wondering about the best approach. With the extremists these middlegrounders have to react, or at least companies do. Which is only good. Disclosure is the subject of my latest Darkreading column:
http://www.darkreading.com/document.asp?doc_id=118174 What do you think? Should we talk about exploits? Should we out vendors? Is there a line to be drawn anywhere?
I think if you find an exploit do what you personally want. If I had time to research them, I'd probably be pimping them out for as much as I could; why not? I can decide. I found it. Same to you, with what you found. The only line will come if some authority in some country makes it illegal to sell them. And obviously there would be incredible difficulties in isolating that, IMHO. gem
company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com
-- mike (s1, s2, s3) ; -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070228/5d32d73d/attachment.html
Current thread:
- Disclosure: vulnerability pimps? or super heroes? Gary McGraw (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? J. M. Seitz (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? Blue Boar (Feb 27)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Stuart Moore (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Michael Silk (Feb 27)
- <Possible follow-ups>
- Disclosure: vulnerability pimps? or super heroes? Gary McGraw (Mar 05)
- Disclosure: vulnerability pimps? or super heroes? Kenneth Van Wyk (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Blue Boar (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Steven M. Christey (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? Kenneth Van Wyk (Mar 06)
- Disclosure: vulnerability pimps? or super heroes? J. M. Seitz (Feb 27)