I have decided to keep a list of bugfinders who publicly disclose vulnerabilities in other people’s products and also have internal IT experience working for enterprises with more than 5,000 desktops/laptops. That is, they actually had some level of responsibility for protecting the systems before, during, and after the discovery/disclosure/patch process.
Please send any references you know of and note whether the information is confidential or public. I believe these folks are vitally important to assisting with moving the disclosure process forward. (FWIW, I also don’t believe any exist).
Thanks for your help.
Update: Thanks to some of the information provided, I have found two likely candidates. See here for more details.
I wonder if IBM (ISS) has more than 5K desktops? :^)
@Chris -
I am sure you know the answer, but it is really too early to tell what will happen w/ the X-Force. Of course, it is pretty telling that you point out a vendor first… Any reason you didn’t mention GM or Wal-Mart or Exxon?
I just thought of ‘bug finders’ I know exist, and filtered on what size I think their employer is. IBM was the first one to come to mind. I don’t know any IT people at those other outfits.
Of course, some Universities have > 5K deployed (and managed) boxes, so that pretty much takes care of your non-existence claim, too.
BTW, do you mean “publicly disclose” before a fix is made available, afterwards, or after notifying the vendor and waiting “a reasonable amount of time”?
I think I need to clarify – simply working for a company that has >5k seats does not qualify a bugfinder for this list. I am looking for folks that used to be, or still are, responsible (in some fairly direct way) for those 5k+ seats.
AFAIK, my non-existence claim stands, though I need to broaden my looking. Feel free to put a note on your blog, if interested.
BugFinding
So, Pete Lindstrom’s looking for vulnerability researchers with enterprise experience. Now I think I just barely qualify; not on the enterprise experience side (that I have quite a bit of experience in) – but on the research side (where I have less exp…
Peter has already been informed in email of the (obvious) fact that he is wrong. The overwhelming majority of vulnerability researchers at Fortune 500 companies do not read his blog, or care to attach their names or the names of their employers to his crusade, so I expect him to have little trouble continuing to pretend that this is a real question.
I recognize Peter’s “qualifications” for this list to include:
- Employment by a medium-sized enterprise (thousands of seats).
- Active responsibility for the security of a large number of machines at that employer.
- Discovery and publication of vulnerabilities, with the approval of that employer, during their tenure at the employer.
- Discovery of those vulnerabilities as a key job requirement and role at that employer.
There are hundreds of these people. Consider, for example, virtually every web application deployed at a financial institution.
@Thomas -
I think I need to clarify again:
1) The enterprise experience does not need to be simultaneous, e.g. if you have had previous requisite experience managing desktops, you would qualify as well.
2) The disclosure must be “public” as in published on one of the popular mailing lists and/or security advisories and/or trade publications.
I would expect that internal bugfinders would not publish their findings publicly, so don’t really expect to find simultaneous activities going on.
In addition, your “virtually every web application deployed at a financial institution” scenario would only qualify folks if they had 1 and 2 above, and that is most certainly not hundreds of people.
I will also need to clarify in future posts the differences that are cropping up between traditional desktop/server oriented vulnerabilities and the Web environment, since Websites are (usually?) much easier to manage than desktops.
[Note: To date, I am unaware of any emails regarding this post, though I have sent one in response to Security Curve's trackback above, to confirm. I suspect you are right that I am wrong - I would sure love to know who they are, since I think their opinions matter most in this exercise.]
Peter has already conceded to me in email that he knows that people with his qualifications exist. But he has not yet corrected this post, despite the fact that most of his readers see only his posts, not the comments in the post.
Lowering the Bar – Still Looking for Bugfinders w/ IT Experience
From 5,000 down to 3,000. I have been given a handful of leads in my quest to find bugfinders who publicly disclose vulnerabilities in mailing lists or public notices and also have operational experience (either present or previous) and responsibility …