back to article Black hat greed reducing software vulnerability report rate

HP has kicked off the round of reports that accompany each RSA conference with its analysis of security vulnerabilities, and has revealed that although the overall trend is positive, the growing market for zero-day flaws is reducing the number of the most serious problems that are disclosed. software vulnerabilities The long …

COMMENTS

This topic is closed for new posts.
  1. Peladon

    And perhaps...

    ... some of the trials and tribulations undergone by security researchers reporting or trying to report issues, and associated changes and proposed changes in law and regulation, might also have contributed to a reduction in reports.

    Some companies appear to want to generate an environment where a security researcher can be penalised or prosecuted for even looking for vulnerabilities. Some companies also appear to want an environment where any attempt to publicise (whether to a wide or restrictied audience not limited solely to a specific company) can similarly lead to bad press and the joys of the court, and where any effort by such researchers to claim reward for their effort and findings is somehow translated into being a form of extortion. Perhaps a reduction in the number of reports may be, in part, attributed to the creation of such an environment.

    And if the only reward available is one found on the dark side of the street - it may not be surprising if some people are tempted to take their first steps down those streets.

    Or not. I'm probably talking total nonsense. After all, I'm an Idiot :-).

    1. Anonymous Coward
      Anonymous Coward

      Re: And perhaps...

      So Peladon, what you're saying is "do the decent thing" get your arse sued off.

      Sell it on the grey market "is that a euphemism for flog it to some dodgy government?" make much oh dollars.

      So how is this any more greedy than the SW company selling sh1te SW in the first place because proper development costs too much?

      It all boils down to ca$h at the end of the day.

      1. Peladon

        Re: And perhaps...

        @AC

        Heh. With respect (and genuine and sincere respect) - er, no.

        I'm not saying that at all.

        I'm suggesting that _maybe_ some companies out there are saying that. Or suggesting it. Or lobbying for new laws to make it so. And I'm _suggesting_ that those companies, if they're doing such things, should hardly be surprised if:

        1: People report less security issues less often

        2: Some people, being people, start accepting less, um, 'orthodox' offers of reward for information about the issues they may have found.

        And I'm also suggesting, and only suggesting mind, since I don't want my own hinder parts subjected to the less than tender mercies of lawyers and judges, that it's those companies own bloody fault if one or both of the above take place in the future or are taking place now.

        And I apologise for my lack of clarity if the above was not suitably expressed in my initial posting.

        1. Anonymous Coward
          Anonymous Coward

          Re: And perhaps...

          Sincere apologies Peladon,

          My reference to you really just covered the first line.

          The rest was a none too subtle dig at the headline writers and lazy arsed management who hand out grief to developers who want to do the right thing.

          1. Peladon

            Re: And perhaps...

            No apology required, sir (or ma'am, as the anonymous case may be :-) ).

            In any such circumstance, my general tendency is to assume I wrote something bloody^H^H^H^H^H^Y, er, ratted stupid :-). That's 'spending time with Editors', that is. After that, it sort of comes naturally (blush).

  2. Anonymous Coward
    Anonymous Coward

    Blame the coders. They think they know eveything yet release absolute crap.

  3. Robert Helpmann??
    Childcatcher

    SCADA Vulns

    a huge increase in the number of SCADA...vulnerabilities detected... This likely reflects that people are more actively looking for such things post-Stuxnet, rather than any inherent instability in SCADA code . anything that wasn't in SCADA code all along.

    This is rather the nature of the beast, isn't it?

    1. admiraljkb
      Unhappy

      Re: SCADA Vulns

      @Robert Helpmann??, you beat me to it.

      One of the instances of SCADA code I'm aware of, is running on critically old/out of date Windows systems (as far as security hotfixes go, as well as still being 2000 and 2003 server), and still not firewalled off in an isolated network for at least some protection. The workstations around the SCADA systems are also critically unpatched, with an IT dept that tells the users IE 6 is the secure company standard, and Firefox is a security threat. This is a large US power company that has the best IT that lowest bid contracts will get it... If the other utilities are like this, we're pretty much doomed if a group of cracker/hackers decide to "throw the switch"

      Sad face, well, it pretty depressing innit?...

This topic is closed for new posts.

Other stories you might like