Is finding security holes a good idea?
David Honig
dahonig at cox.net
Thu Jun 17 11:15:59 EDT 2004
At 02:12 PM 6/16/04 -0700, Eric Rescorla wrote:
>Thor Lancelot Simon <tls at rek.tjls.com> writes:
Have neither of you considered why people write
open-sourced code? Reputation, to learn, utility, etc.
With the exception of perhaps security-focussed
code, no one gains much reputation by *finding*
bugs whereas contributing a package of functionality
(buggy or not) wins community points.
In short, aside from common cognitive foibles
which you're discussing,
the open-source reward system doesn't make heroes of bug
finders. Eg I might know the name of the author
of eg sendmail, but do you know the names
of anyone who found a security bug in that code?
(Not including people you knew before).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list