Is finding security holes a good idea?
Eric Rescorla
ekr at rtfm.com
Tue Jun 15 16:32:15 EDT 2004
Thor Lancelot Simon <tls at rek.tjls.com> writes:
> On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote:
>> in the paper.
>>
>> Roughly speaking:
>> If I as a White Hat find a bug and then don't tell anyone, there's no
>> reason to believe it will result in any intrusions. The bug has to
>
> I don't believe that the premise above is valid. To believe it, I think
> I'd have to hold that there were no correlation between bugs I found and
> bugs that others were likely to find; and a lot of experience tells me
> very much the opposite.
The extent to which bugs are independently rediscovered is certainly
an open question which hasn't received enough study. However, the
fact that relatively obvious and serious bugs seem to persist for
long periods of time (years) in code bases without being found
in the open literature, suggests that there's a fair amount of
independence.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list