Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
* Marcus J. Ranum (mjr@NFR.NET) [000921 16:29]:
> At 09:36 AM 9/21/00 -0400, Adam Shostack wrote:
> >Alice discovers a vulnerability, and wants to tell Bob, but thinks Bob
> >may steal it.
> If I understand correctly, the concern is that someone might
> "steal" the "credit" for disclosing something? So is this just
> an exercise in protecting marketing rights to see who gets to
> publicly count coup on a vendor?
Given that people cannot make money from disclosing vulnerabilities
(that would be called blackmail), other than desire of helping
the world be a more secure place, credit is the only incentive people
have to disclose vulnerabilities.
People need some type of remuneration for their work even if its not
a financial one. Maybe you'd like to stop charging money for NFR, and
if I recall correctly you weren't particularly trilled when people took
copies of the firewall toolkit, your work, and sold it as a commercial
product without giving you any credit.
The world is such a cruel place.
> Marcus J. Ranum
> Chief Technology Officer, Network Flight Recorder, Inc.
> Work: http://www.nfr.net
> Personal: http://www.ranum.com
Si vis pacem, para bellum