[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey



aleph1@securityfocus.com wrote:
>Given that people cannot make money from disclosing vulnerabilities
>(that would be called blackmail), other than desire of helping
>the world be a more secure place, credit is the only incentive people
>have to disclose vulnerabilities.

I see. At least someone's willing to be honest about what's
going on. So the whole purpose is as a means of marketing
oneself? 

Am I the only person who finds this a rather thin, lame
justification?

>People need some type of remuneration for their work even if its not
>a financial one.

I see. Ego-gratification?

That's the reason I raised this issue. If folks are really
considering using cryptographic hashes and whatnot, just to
protect their ego-bragging rights, that seems like massive
technological overkill for what's really a social problem.

I.e.: "grow up, guys."

>  Maybe you'd like to stop charging money for NFR, and
>if I recall correctly you weren't particularly trilled when people took
>copies of the firewall toolkit, your work, and sold it as a commercial
>product without giving you any credit.

There's no similarity at all. I sell a product. It has tangible
value. Not ego value, not marketing value.

>The world is such a cruel place.

It's only a cruel place if you're willing to tolerate such
behavior, Aleph.

mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://www.ranum.com

Page Last Updated or Reviewed: May 22, 2007