From 5,000 down to 3,000. I have been given a handful of leads in my quest to find bugfinders who publicly disclose vulnerabilities in mailing lists or public notices and also have operational experience (either present or previous) and responsibility …

I think I need to clarify again:

1) The enterprise experience does not need to be simultaneous, e.g. if you have had previous requisite experience managing desktops, you would qualify as well.

2) The disclosure must be “public” as in published on one of the popular mailing lists and/or security advisories and/or trade publications.

I would expect that internal bugfinders would not publish their findings publicly, so don’t really expect to find simultaneous activities going on.

In addition, your “virtually every web application deployed at a financial institution” scenario would only qualify folks if they had 1 and 2 above, and that is most certainly not hundreds of people.

I will also need to clarify in future posts the differences that are cropping up between traditional desktop/server oriented vulnerabilities and the Web environment, since Websites are (usually?) much easier to manage than desktops.

[Note: To date, I am unaware of any emails regarding this post, though I have sent one in response to Security Curve's trackback above, to confirm. I suspect you are right that I am wrong - I would sure love to know who they are, since I think their opinions matter most in this exercise.]

I recognize Peter’s “qualifications” for this list to include:

- Employment by a medium-sized enterprise (thousands of seats).

- Active responsibility for the security of a large number of machines at that employer.

- Discovery and publication of vulnerabilities, with the approval of that employer, during their tenure at the employer.

- Discovery of those vulnerabilities as a key job requirement and role at that employer.

There are hundreds of these people. Consider, for example, virtually every web application deployed at a financial institution.

So, Pete Lindstrom’s looking for vulnerability researchers with enterprise experience. Now I think I just barely qualify; not on the enterprise experience side (that I have quite a bit of experience in) – but on the research side (where I have less exp…

AFAIK, my non-existence claim stands, though I need to broaden my looking. Feel free to put a note on your blog, if interested.

Of course, some Universities have > 5K deployed (and managed) boxes, so that pretty much takes care of your non-existence claim, too.

BTW, do you mean “publicly disclose” before a fix is made available, afterwards, or after notifying the vendor and waiting “a reasonable amount of time”?

I am sure you know the answer, but it is really too early to tell what will happen w/ the X-Force. Of course, it is pretty telling that you point out a vendor first… Any reason you didn’t mention GM or Wal-Mart or Exxon?