My apologies for the gap in the blog entries. I've been very busy of late. However, this sufficiently raised my ire for me to comment.
Mary Ann Davidson, Chief Security Officer for Oracle has written a piece on how vulnerability researchers are the real problem with respect to software bugs. Mary Ann outlines the three things that get her goat about vulnerability researchers; they are (to paraphrase):
1) Researchers who expect the problem to get fixed faster than the vendor can get it done
2) Researchers who want noteriety
3) Researchers who want credit for finding a flaw
I'm upset by this article for two reasons. First of all, while Mary Ann nods to the fact that there are different types of researchers, I think she does not do enough to segregate.
She says she thanks the "researchers who are after the public good" but I think that such a researcher is not incompatable with her list. For example, a researcher interested in the "public good" might feel that the Oracle "two year" fix turnaround window (actually 700 days in the case I'm referring to) is a mite too long; I think most of us would agree. In addition, it seems to me that media coverage (press) associated with finding a flaw is good advertising - why is it wrong for a researcher to seek after press and it's OK for Oracle to advertise thier doings (such as by having the CSO write a piece for news.com)?
All in all, I think folks reading this piece should keep in mind the fact that Mary Ann might just be a little bit biased here... I'm not saying it's right for "researchers" to disclose without contacting the vendor or to try to extort a vendor - however, it seems to me that best way for vendors to alleviate this problem isn't by complaining about it in the press; it's by reducing the number of issues inherent in the products they ship. Just my two cents...
Posted by Ed at August 8, 2005 09:09 AM