mailing list archives
[OT] Re: Quick Question
From: Georgi Guninski <guninski () guninski com>
Date: Mon, 17 Mar 2003 18:51:33 +0200
[Sorry for cross posting to the list, but this looks like a FAQ]
Dear Mr. Kannan,
Karthik Natarajan Kannan wrote:
Dear Mr. Guninski,
I am a doctoral student at Carnegie Mellon University working on my
I am Georgi. Georgi Guninski.
thesis on Information Security trying to understand the industry
structure and incentives. I realize that you are one of the prime
people in unearthing bugs. I would greatly appreciate your responses for
the following questions:
Sure, I will answer, but I would greatly appreciate the answer to a question by
Pink Floyd at http://www.lyricsstyle.com/p/pinkfloyd/goodbyebluesky.html
"Mother, should I trust the government?" -- Pink Floyd
a) What is the incentive for firms like yours to unearth security bugs?
No special incentive. Hint: It is not for the money, it is not for the fame.
There is no official norm as far as I know. The owner of the 0day has the
intellectual property over it and can do whatever he wants with it.
I personally have sympathy for open source projects and do my best the problem
to be fixed officially before I go public. First notify the software developer
in this case. This symapthy does not apply for commercial vendors in whose
licence agreements is written that the product does not fit for any purpose.
b) What is the norm after unearthing the bug? Whom do you report it to?
c) Suppose, a bug has been unearthed, does the software vendor pay the
security firms for unearthing the bugs?
Generally no. The only exception for me was Netscape - they had (probably also
have, check at their site) a bug bounty program, which basically means paying
for reproducible security bugs.
d) How do security firms like yours unearth bugs? Do you have
specialized teams which work on unearthing these bugs?
The general algorithm is with typing on the keyboard. Mouse engineering brought
to the masses is not effective, I believe.
e) Are there security firms which talk to hacker community to unearth
I think you have the term "hacker" wrong.
f) What sort of tools do you use to unearth bugs? Would they be similar
to what hackers use?
See the answer to e)
For me the most interesting bugs were found without any tools, just my old
brain. Anyway grep and flawfinder can help in some cases.
Looking forward to hearing from you.
Me too, for the Floyd stuff.
Carnegie Mellon University
Full-Disclosure - We believe in it.
- [OT] Re: Quick Question Georgi Guninski (Mar 17)