Re: Security researchers organization

To: Thor Larholm <thor@xxxxxxxx>
Subject: Re: Security researchers organization
From: Crispin Cowan <crispin@xxxxxxxxxxx>
Date: Wed, 19 Nov 2003 14:13:48 -0800
Cc: Russ <Russ.Cooper@xxxxxxxx>, "Steven M. Christey" <coley@xxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx, Sardonix Security Auditing <sardonix@xxxxxxxxxxx>
In-reply-to: <8B32EDC90D8F4E4AB40918883281874D0BB04F@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <8B32EDC90D8F4E4AB40918883281874D0BB04F@xxxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701

Thor Larholm wrote:

From: Russ [mailto:Russ.Cooper@xxxxxxxx]
(Was: Vulnerability Disclosure Formats (was "Re: Funny article"))
<snip http://tinyurl.com/ve83>
Thor Larholm proposed the idea of a "Union" to me. While I don't likethe concept of union's in this day and age, our field is one thatcould benefit from such an idea wrt discoverers. They are far toooften bashed (and I have been guilty of this), and often notrecognized for what they do.

The Sardonix.org security auditing web site was designed to do somethinglike this. It is not a "union", more like the Slashdot version of sourcecode auditing. Sardonix provides:


   * Auditing resources: pointers to how-to's, tools, etc.
     http://sardonix.org/Auditing_Resources.html
   * Indexed lists of audited packages
     http://sardonix.org/Browse_Programs.html
   * Web form for submitting an audit
     http://sardonix.org/Submit_Audit.php which triggers a responsible
     disclosure process that follows the RFP
     <http://www.wiretrip.net/rfp/policy.html> disclosure protocol
   * Mailing list for all the usual reasons
     http://sardonix.org/Mailing_List.html

The problem was that we threw a party and no one came: hundreds signedup for the mailing list, but a majority of submitted audits were pushedin by students of David Wagner @ Berkeley, who were told to submitaudits as a class assignment.

A subtle distinction may be the root cause here: Sardonix seeks tochange the research model from "find a bug, win a prize! (fame & gloryfor half a day)" to "audit software, report what you find, and win areputation for the long term." Having a pile of audited software is*much* more useful to admins than an endless stream of "gotcha again!"advisories. But from the lack of response from security investigators, Iconjecture that "find a bug, win a prize!" is more fun to do, and sothat's what investigators choose to do.

I would just *love* to be wrong here. If there is something I can do tomake Sardonix more attractive to investigators, without fundamentallychanging its mission, sing out. I don't feel a need to change it over to"find a bug, win a prize" because Bugtraq, vuln-dev, etc. do a fine jobof that: Sardonix is different to fill a perceived unmet need. But if itdoesn't interest investigators, then it doesn't do anything at all. Sohow about it; what does it take to interest investigators?


Thanks,
   Crispin

--
Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
Chief Scientist, Immunix       http://immunix.com
           http://www.immunix.com/shop/

Follow-Ups:
- help needed with DotGNU security review (was Re: ..researchers org..)
  - From: Norbert Bollow

References:
- Security researchers organization
  - From: Thor Larholm

Prev by Date: Re: Router Worm?
Next by Date: SGI Advanced Linux Environment security update #5
Previous by thread: Security researchers organization
Next by thread: help needed with DotGNU security review (was Re: ..researchers org..)
Index(es):
- Date
- Thread