Ivan takes me to task, I respond…

For those interested in reading more about the disclosure debate (and I know you are) there is something brewing that I predict will be ongoing  (here) Seriously though Ivan is a brilliant guy and I have a lot of respect for Core security, I even named them a cool vendor last year when I was still with Gartner.


One thought on “Ivan takes me to task, I respond…

  1. You are going down a rathole talking about disclosure. This is really about discovery. You make a lot of great points, and it is really laughable reading the bugfinders’ request for data. But it is silly to try to come up with time periods to respond. Responsible disclosure would be a great goal if the bad guys followed the same rules. Since they never will, what I really want to know is why people only care about vulns after they are disclosed? Disclosure is the fast food of security – it makes us feel really good but in the end is not very healthy. We should be addressing all of those unknown vulns that everyone always says are the problem. Those “pocket 0 days” sound really problematic, and it is clear with all of the undercover exploits going around lately that bugfinders are failing miserably anyway. Instead we are stuck responding to a bunch of folks who have never managed more than 25 PCs in their lives thinking that a 50,000 PC organization can turn on a dime.

    The real truth of the matter is that no “evidence” will ever convince bugfinders to stop finding bugs and look for alternative methods of security because it is an emotional decision for them. They are only doing it as a knee-jerk reaction to a perceived problem and they really, really like doing it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s