The Vulnerability Disclosure Game
Friday October 19, 2007
Vulnerability discovery and disclosure is big business. Some "security research" groups have established their very existence on their ability to reverse engineer, penetration test, and otherwise poke holes in software. They race to earn the bragging rights as the first group or person to find a weakness or flaw. Operating system and application developers struggle to keep up with the flood of vulnerabilities and patch their products to close the holes. In some cases, vulnerabilities are announced publicly before the software developer is even notified. One web site has sprung up specifically to provide an eBay-style marketplace to buy, sell, and trade vulnerability and exploit information. Does any of this make us more secure though? My friend Marcus Ranum wrote an article for CSOOnline.com discussing the vulnerability disclosure game and its impact on information security. Read Ranum's article, The Vulnerability Disclosure Game: Are We More Secure? for more insight.
Comments
I completely agree with Ragnum’s statement that “It seems that virtually every aspect of life is becoming increasingly computerized and exposed to online attack” and that these flaws are only becoming increasingly dangerous.
One of the major problems is that it’s so easy for those doing great harm to hide in the current system/lack of system. Tony Rutkowski makes a great argument that we need to employ trusted identity management on the net or face devestating consequences.