Final position RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
At 4:41 PM -0700 9/21/2000, David LeBlanc wrote:
>(...) At least be
>known for doing solid, professional work.
And that's when you may be proud of the respect that others give you. There's nothing wrong in wanting to be able to be proud of your work, and have that as your motivation. What's wrong is to expect it by doing sloppy work, to grant it on yourself (instead of having it granted to you), or to badger other people with it.
I was shown how to do better work by first doing sloppy work and being told it was, and what I should have done better. With free speech and all, it's inevitable that people will make sloppy or trivial advisories that will annoy you all. The real question of this argument is whether some security work should be ignored or discouraged on the basis of the motivation (which I think is the position taken by Russ, David and Marcus?), or if it should be given a place in the CVE process.
The educational mission of CERIAS means that I can't endorse a position that discourages that kind of security work, because it can be a learning experience. On a scientific basis, each argument, advisory or note must be examined on its own merits, without taking into account who said it or why. If Steve is willing to accommodate that group, I want to help.