[ISN] Verizon dubs sec researchers 'narcissistic vulnerability pimps'

From: InfoSec News <alerts_at_private>
Date: Mon, 26 Apr 2010 00:41:43 -0500 (CDT)
http://www.theregister.co.uk/2010/04/23/verizon_narcissistic_vulnerability_pimps/

By Dan Goodin in San Francisco
The Register
23rd April 2010 

Updated - In an official blog post, an employee in Verizon's Risk 
Intelligence unit has taken aim at researchers who disclose security 
flaws, calling them "Narcissistic vulnerability pimps" and comparing 
them to criminals.

"Have you ever heard of a terrorist referred to as a 'demolition 
engineer?'" the unnamed author of the rant asked, one presumes 
rhetorically. "How about a thief as a 'locksmith?' No? Well, that's 
because most fields don't share the InfoSec industry's ridiculous yet 
long-standing inability to distinguish the good guys from the bad guys."

The post goes on to propose that a person who discloses security flaws 
henceforth be labeled a "narcissistic vulnerability pimp," which the 
writer defines as "One who - solely for the purpose of 
self-glorification and self-gratification - harms business and society 
by irresponsibly disclosing information that makes things less secure."

Besides befuddling all the men in leopard fur coats and feather-laced 
hats, this comparison is problematic for other reasons. As the recent 
Pwn2Own contest made abundantly clear, software makers can't be counted 
on to secure their products, at least not on their own. Security 
researchers armed with real-world vulnerabilities provide an important 
check on internal security teams and give them a powerful incentive to 
be thorough in finding bugs and swift in fixing them.

[...]


_______________________________________________
Best Selling Security Books and More!
Shop InfoSec News
http://www.shopinfosecnews.org/ 
Received on Sun Apr 25 2010 - 22:41:43 PDT

This archive was generated by hypermail 2.2.0 : Sun Apr 25 2010 - 22:51:34 PDT