Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Submission + - Why Vulnerability Research Matters (

Trailrunner7 writes: It seems that any time there's a high-profile incident in which a vulnerability is disclosed without a patch being available, there is an immediate and load call from some corners to abolish the practice of vulnerability research. If researchers weren't spending their days poking holes in software, the bad guys wouldn't have so many flaws to exploit and we'd all be safer, this argument goes. But the plain fact is that all of us--users and vendors alike--are far better off because of the work researchers do.

The reality is that a responsible vendor must assume that attackers knew about a given flaw before it was disclosed. This may not always be the case, but vendors simply have to assume that it is. Consider the cases of the recently patched critical vulnerability in Adobe Reader and the huge Java bug that was disclosed in April. In the case of the Reader flaw, Charlie Miller and Tavis Ormandy each discovered the vulnerability independently. And in the case of the Java bug, Ormandy and Ruben Santamarta each found the flaw at nearly the same time. So in order to make the no-one-else-knew argument hold up, you have to assume that the only two people on Earth who found these bugs came forward and reported them. No thanks.

Slashdot Top Deals

NOWPRINT. NOWPRINT. Clemclone, back to the shadows again. - The Firesign Theater