lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Nov 2003 14:13:48 -0800
From: Crispin Cowan <>
To: Thor Larholm <>
Cc: Russ <>,
	"Steven M. Christey" <>,,
	Sardonix Security Auditing <>
Subject: Re: Security researchers organization

Thor Larholm wrote:

>>From: Russ []
>>(Was: Vulnerability Disclosure Formats (was "Re: Funny article"))
>>Thor Larholm proposed the idea of a "Union" to me. While I don't like 
>>the concept of union's in this day and age, our field is one that 
>>could benefit from such an idea wrt discoverers. They are far too 
>>often bashed (and I have been guilty of this), and often not 
>>recognized for what they do.
The security auditing web site was designed to do something 
like this. It is not a "union", more like the Slashdot version of source 
code auditing. Sardonix provides:

    * Auditing resources: pointers to how-to's, tools, etc.
    * Indexed lists of audited packages
    * Web form for submitting an audit which triggers a responsible
      disclosure process that follows the RFP
      <> disclosure protocol
    * Mailing list for all the usual reasons

The problem was that we threw a party and no one came: hundreds signed 
up for the mailing list, but a majority of submitted audits were pushed 
in by students of David Wagner @ Berkeley, who were told to submit 
audits as a class assignment.

A subtle distinction may be the root cause here: Sardonix seeks to 
change the research model from "find a bug, win a prize! (fame & glory 
for half a day)" to "audit software, report what you find, and win a 
reputation for the long term." Having a pile of audited software is 
*much* more useful to admins than an endless stream of "gotcha again!" 
advisories. But from the lack of response from security investigators, I 
conjecture that "find a bug, win a prize!" is more fun to do, and so 
that's what investigators choose to do.

I would just *love* to be wrong here. If there is something I can do to 
make Sardonix more attractive to investigators, without fundamentally 
changing its mission, sing out. I don't feel a need to change it over to 
"find a bug, win a prize" because Bugtraq, vuln-dev, etc. do a fine job 
of that: Sardonix is different to fill a perceived unmet need. But if it 
doesn't interest investigators, then it doesn't do anything at all. So 
how about it; what does it take to interest investigators?


Crispin Cowan, Ph.D. 
Chief Scientist, Immunix

Powered by blists - more mailing lists