the underground software vulnerability marketplace and its hazards (fwd)

Mike Rosing eresrch at eskimo.com
Thu Aug 22 11:40:59 PDT 2002


On Thu, 22 Aug 2002, Adam Shostack wrote:

> Clearly, people should not be restricted from doing what they want
> with information.  However, if you are concerned about the state of
> computer security, then I think encouraging more and better
> communication amongst "white hats" is a good idea.

Yes, I think all exploits need to be published.  I'm not sure how
soon is soon enough - a month from discovery to publication seems
ok to me.  but that's easy to argue with too.

> (An interesting question is 'Is there a difference between selling
> information you know you have and information you expect to have?'

Hmmm... anyone want to create a futures market for code exploits?

> which is what many security companies have been doing for a while:
> Hiring the people who find exploits to find them for their commercial
> profit.  The difference is that those security companies paid salary,
> not contracting rates.)

My experience with contracting rates is much better than paid salary.
the difference is that salary jobs are longer term, it's something
a company wants to do for a long time.  Contract jobs are short term.
I think it's true that exploits will always be there to find, and
it definitly in a security company's best interest to have people
continuously looking for problems.  Who they tell and when becomes
an interesting topic in and of itself, but I think it's important
that all security problems be published within a reasonable time.

Patience, persistence, truth,
Dr. mike





More information about the cypherpunks-legacy mailing list