On Thu, 22 Aug 2002, Adam Shostack wrote:
Clearly, people should not be restricted from doing what they want with information. However, if you are concerned about the state of computer security, then I think encouraging more and better communication amongst "white hats" is a good idea.
Yes, I think all exploits need to be published. I'm not sure how soon is soon enough - a month from discovery to publication seems ok to me. but that's easy to argue with too.
(An interesting question is 'Is there a difference between selling information you know you have and information you expect to have?'
Hmmm... anyone want to create a futures market for code exploits?
which is what many security companies have been doing for a while: Hiring the people who find exploits to find them for their commercial profit. The difference is that those security companies paid salary, not contracting rates.)
My experience with contracting rates is much better than paid salary. the difference is that salary jobs are longer term, it's something a company wants to do for a long time. Contract jobs are short term. I think it's true that exploits will always be there to find, and it definitly in a security company's best interest to have people continuously looking for problems. Who they tell and when becomes an interesting topic in and of itself, but I think it's important that all security problems be published within a reasonable time. Patience, persistence, truth, Dr. mike