[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Final position RE: [CVEPRI] Handling new vulnerabilities disc overed by Steve Christey



> From: Pascal Meunier [mailto:pmeunier@cerias.purdue.edu]

> 	I was shown how to do better work by first doing sloppy
> work and being told it was, and what I should have done
> better.  With free speech and all, it's inevitable that
> people will make sloppy or trivial advisories that will annoy
> you all.  The real question of this argument is whether some
> security work should be ignored or discouraged on the basis
> of the motivation (which I think is the position taken by
> Russ, David and Marcus?), or if it should be given a place in
> the CVE process.

It is my position that people should post material that is technically
solid, and should be encouraged to do so. I personally dislike the advisory
game and what it has become.  I do not propose ignoring work, as regardless
of motivation, it can contain useful information. I do find it annoying when
I have to do a lot of work to get the useful information instead of the
original discoverer communicating that to me.

I don't interpret what Russ or Marcus has said to actually discourage work,
but rather to encourage people to be adult about presenting their work, and
responsible with the consequences of how and when they disclose issues. If
I'm not reflecting their views correctly, my apologies, and they should
clarify themselves.
 	
> 	The educational mission of CERIAS means that I can't
> endorse a position that discourages that kind of security
> work, because it can be a learning experience.  On a
> scientific basis, each argument, advisory or note must be
> examined on its own merits, without taking into account who
> said it or why.  If Steve is willing to accommodate that
> group, I want to help.

I agree, but it is such a pity that so much of the input data is, on a
scientific basis, extremely flawed, inaccurate and poorly thought out. This
is because we're dealing with one of the few fields where most 'researchers'
go through no accreditation process or training whatsoever.  It also tends
to make it a bit less stodgy and more interesting, so it is a trade-off.

It isn't the work itself that I discourage, but irresponsible reporting of
the information, low ethical standards where people will regularly slam one
vendor, but leave the one who pays them alone, low quality information, and
very childish fights over who got there first.  I can do without all of
that, but maybe they'll grow up, and I know of at least one person who used
to regularly give me half-baked reports that couldn't be repro'd, but had a
kernel of truth most of the time.  He's now one of the better researchers
and gives solid reports that are easy to repro - and he's responsible with
vendors.

Funny how Steven's concerns about reserving a few numbers for himself has
turned into such a heated discussion.

Page Last Updated or Reviewed: May 22, 2007