back to article Frustrated bug hunters to expose a flaw a day for a month

A Russian security firm has pledged to release details of previously undisclosed flaws in enterprise applications it has discovered every day for the remainder of January. Intevydis intends to publish advisories on zero-day vulnerabilities in products such as Zeus Web Server, MySQL, Lotus Domino and Informix and Novell …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    And yet they refuse to help...

    <i>with what might come across as a name-and-shame scheme designed to push vendors into developing security fixes more quickly.</I>

    From the website:

    <i>You – ABCD company, making N millions per year selling your buggy XYZ product all over the world, why are you asking to give the results of the hard work during many years for free?</i>

    I think those guys are simply a bunch of jealous whiners who have no clue what its like to manage a big software project. Throwing vulnerabilities which they discovered in the open yet refusing to inform the vendor, and then cry out about how buggy the product is? Puhlease..

    1. Steen Hive
      Thumb Up

      Of course they refuse

      They've been helping for years and getting pissed on for their trouble. Tough luck. If you are managing a big or critical software project without a distinct zero-day vulnerability response path, you should be sacked.

  2. JWS
    Thumb Up

    Good

    Good to see someone trying to get people to listen and patch their software. Although I fear it won't work as patches cost money to make.

  3. Neal 5

    This is good

    Especially if the move is aware from scare mongering proof of concepts, into real time live exploits, and especially if published to the whole community first.

    Then these so called managers of big software projects, might actually mange their security in their project properly to start with.

    Patches don't cost money to make (the code is already written, just needs tweaking), they prolong the life cycle, improve stabililty and in the long run, bolster profits.

    In yankee parlance , buying a lemon, springs to mind, UK probably more familiar with the friday afternoon syndrome. Even some firms as tardy as Adobe, would prefer a secure product than a hacked/exploitable product,

    Of course anyone running Mac or Linux systems has no need to worry about any vulnerability whatsoever, because they just don't exist on those platforms.

    1. J-Wick
      Happy

      @Neal 5

      How much of your comment is sarcasm, exactly? :D

  4. Joe Montana
    WTF?

    Stance...

    I happen to agree with them, software vendors treat bug hunters with disdain... They often react with hostility when confronted with bug reports, sometimes even threatening the bug hunter. They expect people to spend their own time finding bugs, and then let them fix it quietly without telling anyone. This is much cheaper than actually hiring people to test their code before it ships.

    Very rarely do you get thanked, let alone any kind of payment.

    Most bug hunters are expected to pay full price for these products.

    It should be share and share alike, you help me i help you... I'm quite happy to work with open source developers because they gave me the something for free, and it's easier because i can actually write a patch myself. But i very much resent the behaviour of most commercial vendors...

  5. Anonymous Coward
    Anonymous Coward

    Dangerous ground methinks,...

    Why not hold "Bug Auctions"? Sell knowledge of each flaw to the sole highest bidder, which will establish the true value of the exploit, and allow the companies to buy it back if it is really that serious?

    Truly a "knowledge based economy"

  6. Paul Smith

    Tosh and Twaddle!

    Security Researchers upset because they are not appreciated. What a surprise.

    Who exactly asked them to research the security of other peoples products? No one.

    Why do they do it? For their own benefit, of course. They get financial recompense or ego massage and any financial benefit is not earned through doing something useful, it is gained by exploiting the flaw themselves, selling details of the flaw to someone willing to exploit it, or by being paid to not do one of the above. Since all three options are borderline criminal, why is it that they expect to be appreciated.

    1. Anonymous Coward
      Anonymous Coward

      That does not excuse ...

      software vendors for not patching vulnerabilities/bugs in their software in timely manner and if the security companies can find these flaws you know that others can find, have found, these vulnerabilities.

      So, what do you propose as a better solution?

      1. Ken Hagan Gold badge

        What do I propose?

        That's simple. You tell the vendor. Then, after a "timely" interval (of your choosing) you tell the world. Those vendors who care about their customers will learn the ropes quickly enough, and those that don't will find their customers blaming *them* rather than the researchers.

        Unlike the proposal here, which is a bunch of attention whores who don't give a monkeys how many innocent customers they clobber in their heroic battle against the Evil Vendors.

    2. heyrick Silver badge

      Borderline criminal?

      Have you read how El Reg recently? Noticed how many security bugs are in widely deployed 'net products? I will be keeping an eye on these guys and if they mention anything I actually run, I'll uninstall it PDQ. However, I will also thank them for their efforts as things WILL get hacked, considering there is commercial value in exploiting the data on a person's computer. Given what is at stake here, perhaps software companies should put as much effort into shoring up their products as they put into new features. Either that or they should step back and say "sod it, we failed" and let a better technology take over.

      I'm sure their site will say lots of semi-egotistical stuff about their aims and ambitions, but I feel it's time buggy software was called to task. It might have sufficed back in the days when computers were standalone boxes doing a fairly specific task. Now the world is wired, we need a higher standard of software for the protection of our privacy ... Zuckerberg might think he's the world's prophet, but I've yet to see anybody intentionally post their credit card information online - some stuff we WANT kept private even if we tweet every other thought that enters our heads. The difference is what we say is our choice, wisely or foolishly. Hackers will be looking for the information we don't care to share, and for this we need resiliant software both on our computers and on the servers.

      Let the games begin...

    3. Anonymous Coward
      Anonymous Coward

      Sure

      but that, essentially, is why any of us do anything, which makes your objection meaningless.

  7. Ross 7

    Ppl forget

    Ppl forget that "responsible disclosure" was originally designed to provide a benefit to the then bug finder elite. They needed a way to monetise their time investment, so they became "consultants", selling themselves to various IT organisations. Trouble was their less famous mates were releasing 0-days on usenet, which was kinda embarrassing and also limited their income.

    Responsible disclosure meant doing it the corporate way, and thus generated cash for certain ppl. It also provided a cheap way to bash ppl that didn;t abide by the rules - "oh he's very irresponsible for releasing that without giving it to us for free first!" That kind of thing was likely to put a dent in your CV and prevent you from drinking at the watering hole with the big guys.

    The bugs are valuable information, so why should it be given freely to a corporation to benefit from? If you think that's the way it should be then I suggest you also look at the patenting of drugs - knowing how to make Herceptin etc is a very valuable piece of information, and helps lots of ppl. I still don't see it being given away for free...

    Why? Because it takes a lot of time and effort to create and test it, and ppl should be recompensed for that otherwise nobody else is going to put that kind of time and effort into discovering things which would be a bad thing.

    Plenty of ppl out there stand to benefit from exploits, and they're not the kind of ppl you want benefiting from them. It therefore stands to reason that if you want the "good" guys to know about them first that there's an incentive for ppl to tell them and not the bad guys. If not, don't bother complaining when your mate sends you a PDF and you subsequently need to spend 3 months sorting out your credit score.

  8. David Pickering
    Thumb Up

    good on em

    bout time these companies get a swift kick up the arse tbh. i for one am so tired of half-baked mickey mose software.

  9. Anonymous Coward
    WTF?

    Whiners or no?

    Well, I can see where the comments are coming from and don't disagree perse. However, when we're talking about big companies making money and such it would have helped their stance if they didn't start spouting off about a product (Sun directory server) which may be used totally free of charge, both for personal and commercial usage.

    The only way Sun is (trying, we all know how well they're doing) making money is from supporting people with using their software.

    So no, these guys may have done good things in the past but IMO this is ridiculous.

  10. John Smith 19 Gold badge
    Thumb Up

    Not just software vendors either

    Remember the oh so helpful CCTV system with web access sold to various nurseries and schools in the UK and its *massive* security bug allow anyone access? Remeber the *months* of getting the vendor to actually *do* something?

    Given the size of present software and the *way* it's written bugs are guarenteed. Some are worse than others and someone has to decide given limited resources (because there are *never* enough developers to do *everything* at once). That's called management. One option is to ignore *all* reports, fire any remaining developers and live off the license fees (a real MBA type approach to running a software company). Most companies are a bit better than that but I've no doubt some are a *lot* better than others.

    If I were betting my privacy and security (or my companies) on stuff I *paid* that can rat me out to anyone smart enough to find bugs it I'd like to know which vendors are responsible in handling this situation, especially if they *persist* in handling this routine (and you should view it as routine) problem.

This topic is closed for new posts.

Other stories you might like