Monday, 11 February 2008
I know something you don't know
It seems the vulnerability disclosure is taking on a new slant. All the previous reports I've seen on this subject have largely been about those researchers who disclose vulns get hammered by law enforcement agencies or big companies. However, this one takes on a new twist. RealPlayer11 has a bug and Evgeny Legerov has found it. However, it appears this guy has a group of "customers" who he sells bugs to but won't disclose to the original developer. In the daniweb blog the author discribes this as blackmail. I'm certain it's not blackmail, but ethically it's difficult. But why should I be ethically bound to notify people of their screw ups? Maybe the fact that big companies carry on producing chronic code is because people find their cock ups and tell them about it. Perhaps this new type of militant action by security researchers will start to force a shift in software development as companise will no longer be able to rely on independants working it out for them.