Friday, August 05, 2005

Cisco, Mike Lynn, and my door

Recently, there was much discussion (also see here ) about Mike Lynn's presentation exposing a a Cisco vulnerability.
Details are a bit fuzzy. It seems the patch was already made by Cisco.
In some ways, exposing security issues is beneficial for the industry, which would otherwise ignore them and never fix them - an industry needs watchdogs to force it to fix product defects, and the car industry is an excellent example. And of course, it is very human to want to (and have the right to) discuss your achievements - and for a security researcher, finding a security vulnerability is a major achievement.
However, I refuse to glorify such actions. If a neighbor noticed my house door is open, and updated a bulletin board in the middle of the town ("houses with unlocked doors can be found at...."), I would be unhappy; and I don't think I'll be loaning him the lown mower again.

I think there should be a way for security researchers to get the fame (and improved job opportunity, and better pay, and everything an achievement usually entails) they deserve for finding security issues; and security researchers should show more responsibility on their part.
It boils down to processes and money. If a security researcher spends (on average) months and very sophisticated skill set finding a security issue, and he'll inform the company and make no big deal about it, he's been cheated out of any rewards for his efforts - and both the community and the company got security testing and review for free.
That's an untenable situation; as long as researchers have an incentive to disclose security holes, they will; but I can't quite see that sueing researchers would create the right kind of incentive.
What would I like to see? a substential monetary reward & public recognition program for security researchers who find issues, complemented by a much longer wait time on disclosing the details of any security issue.

No comments: