lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed Feb 22 06:13:42 2006
From: coley at mitre.org (Steven M. Christey)
Subject: What is the state of vulnerability research? (now
	in spam flavor)


In a forum well-known for its unpredictable noise-to-signal ratio, not
to mention the occasional ad hominem attack, it was rather surprising
not to see a single response to this inquiry on Full-Disclosure.

I have received 10-15 diverse, private responses and will do my best
to summarize, in about a week.  (Thanks to everyone for their
thoughtful responses.)

Meanwhile, if anybody has any thoughts on the topic, a refresher
follows...

---

This is a series of open questions to people who consider themselves
to be vulnerability researchers.  Hopefully this will open a number of
fruitful public discussions.

1) What is the state of vulnerability research?

2) What have researchers accomplished so far?

3) What are the greatest challenges that researchers face?

4) What, if anything, could researchers accomplish collectively that
   they have not been able to accomplish as individuals?

5) Should the ultimate goal of research be to improve computer
   security overall?

6) What is an "elite" researcher?  Who are the elite researchers?

7) Who are the researchers who do not get as much recognition as they
   deserve?


Why am I asking?

Because I don't think this topic has been covered quite in this
fashion, and it's about time it did.

Feel free to respond to me privately.  If I receive more than a couple
responses, I will post a summary.

Thanks to James Bercegay, KF, Luigi Auriemma, Matthew Murphy, and Kurt
Seifried for beta-testing the first 5 questions by providing a variety
of responses :)

- Steve


P.S.  If you're further interested in letting your voice be heard,
check out Richard Forno's disclosure survey at
http://www.infowarrior.org/survey.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ