Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Submission + - Why Vulnerability Research Matters (threatpost.com)

Trailrunner7 writes: It seems that any time there's a high-profile incident in which a vulnerability is disclosed without a patch being available, there is an immediate and load call from some corners to abolish the practice of vulnerability research. If researchers weren't spending their days poking holes in software, the bad guys wouldn't have so many flaws to exploit and we'd all be safer, this argument goes. But the plain fact is that all of us--users and vendors alike--are far better off because of the work researchers do.

The reality is that a responsible vendor must assume that attackers knew about a given flaw before it was disclosed. This may not always be the case, but vendors simply have to assume that it is. Consider the cases of the recently patched critical vulnerability in Adobe Reader and the huge Java bug that was disclosed in April. In the case of the Reader flaw, Charlie Miller and Tavis Ormandy each discovered the vulnerability independently. And in the case of the Java bug, Ormandy and Ruben Santamarta each found the flaw at nearly the same time. So in order to make the no-one-else-knew argument hold up, you have to assume that the only two people on Earth who found these bugs came forward and reported them. No thanks.

Slashdot Top Deals

The trouble with a lot of self-made men is that they worship their creator.

Working...