[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey



* Marcus J. Ranum (mjr@NFR.NET) [000921 16:29]:
> At 09:36 AM 9/21/00 -0400, Adam Shostack wrote:
> >Alice discovers a vulnerability, and wants to tell Bob, but thinks Bob
> >may steal it.
> 
> 
> If I understand correctly, the concern is that someone might
> "steal" the "credit" for disclosing something? So is this just
> an exercise in protecting marketing rights to see who gets to
> publicly count coup on a vendor?

Given that people cannot make money from disclosing vulnerabilities
(that would be called blackmail), other than desire of helping
the world be a more secure place, credit is the only incentive people
have to disclose vulnerabilities.

People need some type of remuneration for their work even if its not
a financial one. Maybe you'd like to stop charging money for NFR, and
if I recall correctly you weren't particularly trilled when people took
copies of the firewall toolkit, your work, and sold it as a commercial
product without giving you any credit.

The world is such a cruel place.

> mjr.
> 
> -----
> Marcus J. Ranum
> Chief Technology Officer, Network Flight Recorder, Inc.
> Work:                  http://www.nfr.net
> Personal:              http://www.ranum.com

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Page Last Updated or Reviewed: May 22, 2007