lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FBBEB1C.9040109@immunix.com> Date: Wed, 19 Nov 2003 14:13:48 -0800 From: Crispin Cowan <crispin@...unix.com> To: Thor Larholm <thor@...x.com> Cc: Russ <Russ.Cooper@...on.ca>, "Steven M. Christey" <coley@...re.org>, bugtraq@...urityfocus.com, NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM, Sardonix Security Auditing <sardonix@...unix.com> Subject: Re: Security researchers organization Thor Larholm wrote: >>From: Russ [mailto:Russ.Cooper@...on.ca] >>(Was: Vulnerability Disclosure Formats (was "Re: Funny article")) >><snip http://tinyurl.com/ve83> >>Thor Larholm proposed the idea of a "Union" to me. While I don't like >>the concept of union's in this day and age, our field is one that >>could benefit from such an idea wrt discoverers. They are far too >>often bashed (and I have been guilty of this), and often not >>recognized for what they do. >> The Sardonix.org security auditing web site was designed to do something like this. It is not a "union", more like the Slashdot version of source code auditing. Sardonix provides: * Auditing resources: pointers to how-to's, tools, etc. http://sardonix.org/Auditing_Resources.html * Indexed lists of audited packages http://sardonix.org/Browse_Programs.html * Web form for submitting an audit http://sardonix.org/Submit_Audit.php which triggers a responsible disclosure process that follows the RFP <http://www.wiretrip.net/rfp/policy.html> disclosure protocol * Mailing list for all the usual reasons http://sardonix.org/Mailing_List.html The problem was that we threw a party and no one came: hundreds signed up for the mailing list, but a majority of submitted audits were pushed in by students of David Wagner @ Berkeley, who were told to submit audits as a class assignment. A subtle distinction may be the root cause here: Sardonix seeks to change the research model from "find a bug, win a prize! (fame & glory for half a day)" to "audit software, report what you find, and win a reputation for the long term." Having a pile of audited software is *much* more useful to admins than an endless stream of "gotcha again!" advisories. But from the lack of response from security investigators, I conjecture that "find a bug, win a prize!" is more fun to do, and so that's what investigators choose to do. I would just *love* to be wrong here. If there is something I can do to make Sardonix more attractive to investigators, without fundamentally changing its mission, sing out. I don't feel a need to change it over to "find a bug, win a prize" because Bugtraq, vuln-dev, etc. do a fine job of that: Sardonix is different to fill a perceived unmet need. But if it doesn't interest investigators, then it doesn't do anything at all. So how about it; what does it take to interest investigators? Thanks, Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
Powered by blists - more mailing lists