Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

Submission + - Why Vulnerability Research Matters (

Trailrunner7 writes: It seems that any time there's a high-profile incident in which a vulnerability is disclosed without a patch being available, there is an immediate and load call from some corners to abolish the practice of vulnerability research. If researchers weren't spending their days poking holes in software, the bad guys wouldn't have so many flaws to exploit and we'd all be safer, this argument goes. But the plain fact is that all of us--users and vendors alike--are far better off because of the work researchers do.

The reality is that a responsible vendor must assume that attackers knew about a given flaw before it was disclosed. This may not always be the case, but vendors simply have to assume that it is. Consider the cases of the recently patched critical vulnerability in Adobe Reader and the huge Java bug that was disclosed in April. In the case of the Reader flaw, Charlie Miller and Tavis Ormandy each discovered the vulnerability independently. And in the case of the Java bug, Ormandy and Ruben Santamarta each found the flaw at nearly the same time. So in order to make the no-one-else-knew argument hold up, you have to assume that the only two people on Earth who found these bugs came forward and reported them. No thanks.

"What people have been reduced to are mere 3-D representations of their own data." -- Arthur Miller