Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
* Marcus J. Ranum (mjr@NFR.NET) [000921 18:32]:
> I see. At least someone's willing to be honest about what's
> going on. So the whole purpose is as a means of marketing
> Am I the only person who finds this a rather thin, lame
It is lame that someone is trying to make a name for themselves?
Of course you are entitled to your opinion.
> I see. Ego-gratification?
So I guess all people in academia are only ego driven because
they ask to be credited for their work. Guess what, it's human nature.
If you can't feel good about your self and you work you may as well
> That's the reason I raised this issue. If folks are really
> considering using cryptographic hashes and whatnot, just to
> protect their ego-bragging rights, that seems like massive
> technological overkill for what's really a social problem.
> I.e.: "grow up, guys."
The realities of this business are that vulnerability disclosures
are used as a marketing vehicle. You don't like it and can't do
nothing better than calling it ego-bragging.
> There's no similarity at all. I sell a product. It has tangible
> value. Not ego value, not marketing value.
And vulnerability information has not tangible value? That seems like
a strange statement coming from you or any other IDS or vulnerability
scanner vendor. After all you make your money from taking the same
vulnerability information you say is worthless and making test and
signatures for it and then selling it to customers at a high price
without paying anything to the people that discovered the vulnerability.
How are you different? You exchange your work for money. Someone else's
exchanges their work for credit. You say that people are childish
for wishing to get credit for their work, but you are not childish
for wishing to get money from yours.
Seems like a double standard to me.
> It's only a cruel place if you're willing to tolerate such
> behavior, Aleph.
Sounds to me like sour grapes.
> Marcus J. Ranum
> Chief Technology Officer, Network Flight Recorder, Inc.
> Work: http://www.nfr.net
> Personal: http://www.ranum.com
Si vis pacem, para bellum