, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn't exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Expand all |
Post comment
The value of vulnerabilities
2006-03-08
Omar A. Herrera (2 replies)
Omar A. Herrera (2 replies)
Re:Good Points
2006-03-08
R_U_Trustified (2 replies)
R_U_Trustified (2 replies)
Re: Re:Good Points
2006-03-09
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
Re: Re: Re:Good Points
2006-03-14
Robert E. Lee (1 replies)
Robert E. Lee (1 replies)
Why are they paying for vulns? Because security is "cool" now. Also, for certain companies, it makes sense for them to pay idefense for their services. Example, Adobe. If researchers know that idefense is interested in Adobe vulns, there is probably going to be a large number of researchers that will audit Adobe code. So Adobe gets to have their code audited by a wide variety of people without having to staff an entire team of QA engineers. I don't know what idefense charges their clients, but I would confidently bet that it's MUCH less than what Adobe would have to pay for an entire team of QA engineers. So in a way it's like outsourcing your security to people that specialize in finding vulns. Is this the answer? Personally I think it's not. Every software project, whether it is open source or closed source should have a number of auditors on their team. Companies that are making bankloads of money have absolutely NO EXCUSE for not having such a team. Open source projects are in a somewhat different boat. They can't just hire people, so they rely on researchers auditing their code, or users submitting bug reports, etc.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/391/33339#33339