|
General
|
|
Written by Daniel
|
|
Thursday, 04 January 2007 09:08 |
Rift Widens Over Bug Disclosure
DarkReading
JANUARY 3, 2007 | There's a growing rift among the research community over whether the Month-of-Bugs initiatives are helping security or hurting it. (See Buggin' Out? and Apple Bug Bites OS X, Windows.)
There's even now a little pushback from one researcher to the current Month of Apple Bugs (MOAB): Landon Fuller, a former engineer for Apple and currently with Three Rings, an online gaming developer, is answering each MOAB bug with a fix of his own.
This dueling banjos of bug reports and fixes is an example of how researchers aren't all on the same page when it comes to how new vulnerabilities get disclosed. There's always been a clear line between the bad guys and the good, and the underlying argument is not really new -- vendors have traditionally maintained a "responsible disclosure" stance. But now some of the good-guy researchers are more openly questioning just what constitutes proper disclosure of bugs and exploits. And the MOAB has become the lightning rod for the debate.
At the heart of the dispute is whether the risk of releasing an unpatched bug or exploit is worth the potential improvements in long-term security. The point of the MOAB project, according to its founders, is to release bugs and exploits without notifying the vendor.
Discussion
|
