>>From: Russ [mailto:Russ.Cooper (at) rc.on (dot) ca [email concealed]]
>>(Was: Vulnerability Disclosure Formats (was "Re: Funny article"))
>><snip http://tinyurl.com/ve83>
>>Thor Larholm proposed the idea of a "Union" to me. While I don't like
>>the concept of union's in this day and age, our field is one that
>>could benefit from such an idea wrt discoverers. They are far too
>>often bashed (and I have been guilty of this), and often not
>>recognized for what they do.
>>
The Sardonix.org security auditing web site was designed to do something
like this. It is not a "union", more like the Slashdot version of source
code auditing. Sardonix provides:
* Auditing resources: pointers to how-to's, tools, etc.
http://sardonix.org/Auditing_Resources.html
* Indexed lists of audited packages
http://sardonix.org/Browse_Programs.html
* Web form for submitting an audit
http://sardonix.org/Submit_Audit.php which triggers a responsible
disclosure process that follows the RFP
<http://www.wiretrip.net/rfp/policy.html> disclosure protocol
* Mailing list for all the usual reasons
http://sardonix.org/Mailing_List.html
The problem was that we threw a party and no one came: hundreds signed
up for the mailing list, but a majority of submitted audits were pushed
in by students of David Wagner @ Berkeley, who were told to submit
audits as a class assignment.
A subtle distinction may be the root cause here: Sardonix seeks to
change the research model from "find a bug, win a prize! (fame & glory
for half a day)" to "audit software, report what you find, and win a
reputation for the long term." Having a pile of audited software is
*much* more useful to admins than an endless stream of "gotcha again!"
advisories. But from the lack of response from security investigators, I
conjecture that "find a bug, win a prize!" is more fun to do, and so
that's what investigators choose to do.
I would just *love* to be wrong here. If there is something I can do to
make Sardonix more attractive to investigators, without fundamentally
changing its mission, sing out. I don't feel a need to change it over to
"find a bug, win a prize" because Bugtraq, vuln-dev, etc. do a fine job
of that: Sardonix is different to fill a perceived unmet need. But if it
doesn't interest investigators, then it doesn't do anything at all. So
how about it; what does it take to interest investigators?
>>From: Russ [mailto:Russ.Cooper (at) rc.on (dot) ca [email concealed]]
>>(Was: Vulnerability Disclosure Formats (was "Re: Funny article"))
>><snip http://tinyurl.com/ve83>
>>Thor Larholm proposed the idea of a "Union" to me. While I don't like
>>the concept of union's in this day and age, our field is one that
>>could benefit from such an idea wrt discoverers. They are far too
>>often bashed (and I have been guilty of this), and often not
>>recognized for what they do.
>>
The Sardonix.org security auditing web site was designed to do something
like this. It is not a "union", more like the Slashdot version of source
code auditing. Sardonix provides:
* Auditing resources: pointers to how-to's, tools, etc.
http://sardonix.org/Auditing_Resources.html
* Indexed lists of audited packages
http://sardonix.org/Browse_Programs.html
* Web form for submitting an audit
http://sardonix.org/Submit_Audit.php which triggers a responsible
disclosure process that follows the RFP
<http://www.wiretrip.net/rfp/policy.html> disclosure protocol
* Mailing list for all the usual reasons
http://sardonix.org/Mailing_List.html
The problem was that we threw a party and no one came: hundreds signed
up for the mailing list, but a majority of submitted audits were pushed
in by students of David Wagner @ Berkeley, who were told to submit
audits as a class assignment.
A subtle distinction may be the root cause here: Sardonix seeks to
change the research model from "find a bug, win a prize! (fame & glory
for half a day)" to "audit software, report what you find, and win a
reputation for the long term." Having a pile of audited software is
*much* more useful to admins than an endless stream of "gotcha again!"
advisories. But from the lack of response from security investigators, I
conjecture that "find a bug, win a prize!" is more fun to do, and so
that's what investigators choose to do.
I would just *love* to be wrong here. If there is something I can do to
make Sardonix more attractive to investigators, without fundamentally
changing its mission, sing out. I don't feel a need to change it over to
"find a bug, win a prize" because Bugtraq, vuln-dev, etc. do a fine job
of that: Sardonix is different to fill a perceived unmet need. But if it
doesn't interest investigators, then it doesn't do anything at all. So
how about it; what does it take to interest investigators?
Thanks,
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
http://www.immunix.com/shop/
[ reply ]