None of these researchers and tool builders gave proper credit to those who came before them. It seems ridiculous that a field like security research, which is so important to the running of modern society is so ad-hoc. Shouldn’t we know who discovered a vulnerability? Shouldn’t all researchers and engineers know about it? More importantly, if someone implements a tool that takes advantage of a vulnerability shouldn’t they credit the discoverer?

Don’t get me wrong. Implementation takes a lot of work and sometimes makes all the difference in raising awareness of a security problem. After all when I was at the L0pht our slogan was, "Making the theoretical, practical". Yet, researchers should get credit when credit is due.

The problem has not gone unnoticed. The security community has gotten better at documenting our research but I still see instances of independent discovery, misplaced credit, and tools giving no credit to researchers. I hate to say it but getting a bit more academic is in order. Credit is the currency of a researcher and placing it well will reward the right people and we will all benefit.

I propose that as a community we use endnote references in security advisories crediting relevant work. The notes should reference the CVE entry or the advisory describing the similar vulnerabilities. Tool writers should do the same.

In 1998, L0phtCrack should have referenced Brezinski’s paper as the source of the vulnerability information. In 2000, Rioux’s advisory should have referenced that paper too and specified that his discovery was an extension of the NTLM vulnerabilities to the telnet protocol. The later tool writers, Sir Dystic, Gheibi, Niksefat and Metasploit should all have referenced the Brezinski paper.

With each endnote reference we can build a web of information that can be used to advance the field of security research. It will make it easier for newcomers to learn, for researchers to find similar vulnerabilities, and for the proper people to get credit.