1. If a 12 yr old can find vulns, it really wouldn’t be exercising my intellectual capabilities to do so, right? So why don’t you want to exercise yours? Why don’t you hire a bunch of 12 yr olds to do this work?

2. If you can’t quantify these things, I suggest exercising a little more intellectual capability. It’s really quite simple. A 12 yr old could do it.

3. Why do you equate exploits with incidents? One exploit can be the cause of many incidents, right? So if there have been many more undercover exploits, then name 3, please. Thanks. (Btw, if you know this for a fact, then wouldn’t it be the responsible thing to disclose this information?)

4. Thanks for making my point for me with your sendmail bug example. Why on earth would we want that information discovered and disclosed by the good guys given that we know how quickly the bad guys will react? We’ve gone x years (how far back does this vuln go?) without a single bad guy exploiting that vuln and yet now you are suggesting it is a problem? What about all of those previous years? What are you doing today about the *next* Sendmail vulnerability?

5. I happen to think the important information already *is* underground and you are providing enterprises with comfort food of patching to make their problems go away when they actually aren’t going away. Talk about lulling.

6. It is always amusing that bugfinders think that if they didn’t find the vulnerabilities, then nothing would actually happen – no exploits, no incidents, no nothing. And if you think stuff would happen, then who would be lulled into a false sense of security? Wouldn’t the normal reaction to a (presumably) unexpected exploit be something quite a bit more than a lull?

This is a perception you have because you aren’t actively trying to understand the technology deep enough to look for bugs. You likely have the intellectual capabilities to do so, but because you have not exercised them, the bug finding game seems like magic. It’s not. It’s quite easy. I’ve seen 12 year olds do it.

Your view is also skewed because you attempt to quantify things you can’t measure. I know for a fact there have been more than 10 “undercover” exploits in the past ten years. I’d estimate the true incidents are likely in the thousands.

> Bugfinders are ultimately like the street people who want to clean your windshield at a stoplight, do it with muddy water, then expect to be paid for it with gratitude and money. It’s not (necessarily) to say their heart isn’t in the right place, but forced charity that is destructive is pretty hard to be thankful for no matter how much the giver wants to believe it is helpful.

This quote is comedy gold. I may end up using it on a T-Shirt this year in Vegas.

> I think folks should disclose as little as possible and wait as long as possible while still remaining secure from any exploit of the vulns in question.

You realize that this doesn’t work though without a trusted computing base. Look at the recent Sendmail bug as a case in point. Based on very limited, and somewhat initially misleading information in the form of an advisory/patch release, in less than 4 hours time we were able to figure out what the vulnerability was and the initial attack vector required to exploit it. Within 2 days time it was possible to get our PoC to a semi-reliable level. There are attackers out there that are a lot more gifted at the exploit writing game than we are. If you release the patches, you are effectively releasing the vulnerability details. So what’s your solution now, to remain in the world of “responsible disclosure”, should we shame software companies into never admiting security weakness and never releasing patches, because that provides the details of the problem?

Your advocated stance on disclosure, if espoused by law makers, would take the currently freely exchanged information underground. Can’t say for sure what the outcome would be, but the measureable security for organizations would most likely be a lot worse than it is now, partially because you can not quantify that which can not be measured, and partially because people will be lulled into a false sense of security.

Your angst is somewhat understandable, but unfortunately off target.

Robert