lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: weld at vulnwatch.org (Chris Wysopal) Subject: Symantec Buys SecurityFocus, among others.... On Thu, 18 Jul 2002, Jay D. Dyson wrote: > Perhaps the best way to beat these cash hounds at their own game > is to start using a strictly not-for-profit licensing on all released > advisories and proof-of-concept code which stipulates that for-profit > companies may not use said information in any way. Even if you put a copyright notice on your advisories and give permission for non-profits to redistribute, the for-profits will just reword the information for their database. It usually takes several days to research and create an advisory and many hours of working with the vendor to get them to fix it. The vuln reporter gets some street cred. The for-profit retypes the information and probably makes a few thousand dollars PER ADVISORY. And several for-profits are doing this. > Let's face it: the for-profit companies have been leeching off the > community for years and giving nothing back save for sponsorship of key > escrow, further draconian legislation, and advocacy of a security cabal > (which they would control) that would take free information and bundle it > as a pay-for product/service. The only way to stop the leeching is to have a free vulnerability database. There could be a site where vuln reporters could enter the information into the database themselves. This database would always be the most up to date and the most accurate. If there was a standardized vuln reporting format perhaps the import to the databse could be automated. Mirroring of the database around the world would be encouraged. I would love VulnWatch to be able to do this. Any volunteers? > Look, I have nothing against someone trying to make a buck. That > is the cornerstone of the capitalist system. What burns my biscuits is > that the monolithic security companies are not making this money off their > own efforts[1], but by leeching off the egalitarian contributions of those > who possess a skill set the businesses are not willing to pay for. Agreed. I have struggled with the model that exists for many years. It seems the only way to make money off of vuln information is to sell a database and the people selling them do not pay the vulnerability reporters for their effort. Let's face it. There would be no security information business without all the people donating their knowledge for free. Of all the vuln database companies SecurityFocus has been the best at giving back to the community and they say this won't change. Even so a completely non-corporate and free vuln database would be something good for the community. -Chris > - -Jay > > 1. About the only real effort I see from corporate security firms these > days is whipping up FUD-filled press releases to scare the living > bejeezus out of the masses about "cyber-terrorism" and other happy > horseshit. > > ( ( _______ > )) )) .--"There's always time for a good cup of coffee"--. >====<--. > C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@...achery.net ------<) | = |-' > `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------' > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE9NydyGI2IHblM+8ERAnaNAKCAbUUQpAJLuGrkqxlOsflXBJm6dACgkSlH > Y4MHjqIe6qAM28/cSenTBTA= > =9ErK > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure@...ts.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure >
Powered by blists - more mailing lists