Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Dailydave] What is the state of vulnerability research?
From: security curmudgeon (jerichoattrition.org)
Date: Sun Feb 19 2006 - 01:57:35 CST
On Fri, 17 Feb 2006, Etaoin Shrdlu wrote:
: > 1) What is the state of vulnerability research?
: We should first examine what is meant by that topic. Vulnerability
: research has come to imply that there is an expectation of a formal (or
: otherwise) release of the results of such research. It seems that it is
: unusual for someone to experiment in the area of vulnerabilities, and
: yet not publish. I note that Forno's survey predicates the role of
: researcher as one who publishes, and I see that your questions expect
: the same.
This is a very good point and one that I imagine was implied as you state.
I certainly took this implication in my reply. Obviously there will be
public and private research (regardless of what definition is decided). If
the nature of private research is to keep it private, or only disclose it
in such a way that two parties know the details (ie: your use of anonymous
mailers, direct vendor contact), then I don't think we can ever hope to
fully know or diagnose what goes on behind closed doors. Hell, seems like
we're pretty unsure of what all happens in the public eye too.
: There is also the question of what vulnerability research is. Do we
: consider every moronic cross site scripting event noted to be a result
: of vulnerability research?
That is one thing that lead to my original reply and some comments which
offended at least one person. It isn't that someone cut and pastes a
script tag into an application, gets a pop up box and reports a
vulnerability. The thing that irritates me are the ones who don't include
enough information for it to be useful (version tested, the actual
product, etc), or spend 1 line disclosing and 30 lines of credit, greets
and "found and researched by" type lines. Cut/pasting a character into an
application isn't research to me. If you cut/paste a character, fully
outline the version tested, indicate it is an SQL injection and not just a
path disclosure, test all the scripts included, then it becomes 'research'
to me. Of course, there isn't some fine line that one crosses over to make
that distinction, rather an overall perception.