Piscitello on Bugtraq
My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure:
I think that Dave has a valid point here, but not all interesting security bugs are on corporate networks. A no-credential overflow in the new Doom, for example, would create tens of thousands of new zombie machines, and is broadly relevant. (Not to mention the number of work machines used for blowing off steam after hours. In violation of policy of course.)
I’m curious: If we want these bug hunters to be more useful to us, how can we encourage them to find better bugs?
[Update: More in response to Pete Lindstrom’s comments in a Nov 13 post.]
We shouldn’t be encouraging them to find bugs at all. See “Folly of Vulnerability Seeking” at http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1014528,00.html.
To the extent that it will continue, we need to provide constraints – specific applications and specific time periods – to the search process. This will allow for success in specific areas.
Pete,
An interesting argument. However, the fact is that with regard to at least the big vendors, many of them won’t pay attention to the demand for better security unless someone out there is actively pointing out the vulnerabilities. Why has Microsoft finally started building security? Because customers are finally demanding it both at home and in the workplace. These high profile worms have been a pain in the ass to be sure, but we’re also seeing better product as a result….
-DM