再保险:[CVEPRI]处理由史蒂夫istey从而向发现新的漏洞

*大卫·勒布朗(dleblanc@MICROSOFT.COM)[000922 00:25): > >大部分确实是瘸腿的。它不是一件坏事,在将军,但>出名的是什么?以制造好安全工具吗?以帮助>人安全的东西?甚至以运行一个信息列表或网站?>这并不是那么糟糕。这是真正做一些有用的东西。但如果你看>一个诚实很多正在发生的事情,我们不处理,在>在许多情况下。我认为我们都同意。有些人就是没有考虑是否有修复他们报告任何漏洞。 But the only options presented so far by anyone to curb such behavior would throw out the baby with the bath water. They would chill the disclosure of vulnerability information in general, and most people I know find that to be a step in the wrong direction. > Academia (and I can speak from experience on this one, as my name can > properly be followed by B.S.A.E, M.S.A.E, Ph.D) is easily one of the most > ego-driven portions of society aside from entertainment. We also see > tremendous amounts of damage done from the quest for credit - if more people > collaborated, lots more research would get done. Nice illustration of > exactly what's wrong with this picture, though it does undermine your point. > The real point here should be about doing the right thing in the right way, > but now we're going into philosophy. Feeling good about what you do and > having your ego inflated ought to be orthogonal. Indeed no system is perfect, none is. Yet academia is also a success regardless of it faults. So I hardly see how it undermines my point. Maybe my grasp on the language is off. The Cambridge dictionary defines ego as "your idea or opinion of yourself, or a great feeling of your own importance and ability". So how you could feel good about what you do and not have an inflated ego escapes me. > > And vulnerability information has not tangible value? > > Not especially - not unless you add value. No. You only need to add value if the information is already public. If its private information its perfectly valuable in it of itself. > Else why do you have a database > as opposed to a simple archive? Because it adds value to *public* information. > > > That seems like > > a strange statement coming from you or any other IDS or vulnerability > > scanner vendor. After all you make your money from taking the same > > vulnerability information you say is worthless and making test and > > signatures for it and then selling it to customers at a high price > > without paying anything to the people that discovered the > > vulnerability. > > I don't think he said it was worthless, just that these people need to grow > up in many cases. You're arguing against something he didn't say. I also > don't see _you_ paying them any money to stick things in your database, > which you then sell. This is the pot calling the kettle black. Now that I > check, he never once used the word worthless. Huh? Marcus said that vulnerability information has no tangible value. If that is not the same as saying its worthless you may want to let me know what it means. I was not chastising Marcus for not paying for the information. I was pointing out that it has value as his own product, for which people pay tangible, money depends on it. Without the vulnerability information his product would not be worth as much. Ergo the information has value. -- Elias Levy SecurityFocus.comhttp://www.securityfocus.com/如果那么,对位小独木船