Although I commonly counsel enterprise CISOs, security directors and managers about the futility and destructiveness of bugfinding, it is sometimes hard to get my point across. Often, they believe there is some sort of significant overlap between the bugs the bugfinders disclose and the ones they don’t disclose.

By definition, no single bugfinder can have any overlap, but the total population may have some level of rediscovery. Unfortunately, the world’s code base is so large that rediscovery is unlikely and missing any single vulnerability that a black hat knows about means your system is at risk. Given the randomness, I wonder if enterprise’s have an intuition about collusion between the good guys and the bad guys?

In any case, I have a new minimum requirement "litmus test" to promote. I think it is only fair for security developers to practice what they preach. Therefore, any security software company that discovers a vulnerability about any other software manufacturer’s product must be without vulnerability itself.

I think it’s only fair. If a security company can afford the resources to find bugs in Other People’s Software, it should at least be willing to spend time on its own software. This holds particularly true for bugs found for competitor products.