Why Vulnerability Research Matters

win32sux · 08-23-2010, 06:40 AM

Quote:

It seems that any time there's a high-profile incident in which a vulnerability is disclosed without a patch being available, there is an immediate and loud call from some corners to abolish the practice of vulnerability research. If researchers weren't spending their days poking holes in software, the bad guys wouldn't have so many flaws to exploit and we'd all be safer, this argument goes. But the plain fact is that all of us--users and vendors alike--are far better off because of the work researchers do.

Complete Article

John VV · 08-24-2010, 12:35 AM

reporting ????
well if the original devs are helpful and cooperating with the security researchers
then it should not be disclosed

BUT
if the original devs are NOT helpful and are NOT cooperating with the security researchers( stone walling and blowing off the researchers)
then YES report it to the world

Noway2 · 08-24-2010, 05:42 PM

From the article:

Quote:

If researchers weren't spending their days poking holes in software, the bad guys wouldn't have so many flaws to exploit and we'd all be safer, this argument goes

I guess the same could be said about ANY product testing. If no testing were done, except perhaps for specially designed cases by the manufacturer we would have all perfect products right?

This 'attitude' sounds an awful lot like security through obscurity to me and we all know how well that works.
{edit} I read a comment about how commercial software vendors have a monetary interest in not releasing information regarding discovered vulnerabilities. Doing so could cause potential customers to question whether or not to purchase, patches and upgrades much be sent via distribution channels, etc. I know that I have seen this where I have worked. As a former boss once put it, "I can't lie about the defects that they know about, but I am under no obligation to disclose information about those that they don't". The claim was that the tendency to try and restrict this information in the hopes that nobody notices is a lot of the reason that the researchers started making this information known.