RE:最终位置再保险(CVEPRI):处理由史蒂夫Christey漏洞的新唱片了

莫尼耶>:帕斯卡(mailto: pmeunier@cerias.purdue.edu]>我是展示如何做更好的工作先做草率>工作,被告知这是我应该做的>更好。与言论自由,这是不可避免的>人会草率或微不足道的警告这将激怒>。这个论点的真正问题是一些>安全工作是否应该被忽略或不根据>的动机(我认为这是采取的位置>俄国人,大卫和马库斯?),或如果它应该给一个地方> CVE过程。这是我的立场,人们应该发布材料,在技术上是可靠的,并且应该被鼓励这样做。我个人不喜欢咨询游戏,它已成为什么。我不建议忽略工作,不管动机,它可以包含有用的信息。我发现当我做很多工作要得到有用的信息,而不是原始的发现者交流,给我。我不解释拉斯和马库斯所说的真正阻碍工作,而是鼓励人们成人展示他们的工作,和负责任的后果如何以及何时他们披露问题。如果我没有正确反映了他们的观点,我的道歉,他们应该澄清自己。>教育任务的出现意味着我不能>支持,不鼓励这种安全>工作,因为它可以是一个学习的经验。 On a > scientific basis, each argument, advisory or note must be > examined on its own merits, without taking into account who > said it or why. If Steve is willing to accommodate that > group, I want to help. I agree, but it is such a pity that so much of the input data is, on a scientific basis, extremely flawed, inaccurate and poorly thought out. This is because we're dealing with one of the few fields where most 'researchers' go through no accreditation process or training whatsoever. It also tends to make it a bit less stodgy and more interesting, so it is a trade-off. It isn't the work itself that I discourage, but irresponsible reporting of the information, low ethical standards where people will regularly slam one vendor, but leave the one who pays them alone, low quality information, and very childish fights over who got there first. I can do without all of that, but maybe they'll grow up, and I know of at least one person who used to regularly give me half-baked reports that couldn't be repro'd, but had a kernel of truth most of the time. He's now one of the better researchers and gives solid reports that are easy to repro - and he's responsible with vendors. Funny how Steven's concerns about reserving a few numbers for himself has turned into such a heated discussion.