Tuesday, June 23, 2009

You Know You're Important When...

You know you're an important when someone announces a "Month of Bugs" project for you. July will be the Month of Twitter Bugs, brought to my attention in this story by Robert Westervelt. The current project is led by a participant in the Month of Browser Bugs from three years ago named Avi Raff.

I don't see projects like that as being irresponsible. What would be more irresponsible is selling the vulnerabilities to the underground. Would the critics prefer that? In many cases, "Month of" projects are the result of running into resistance from developers or managers are not taking vulnerabilities seriously. In many cases the vulnerabilities are already being exploited. Sure, packaging all of the vulnerabilities into a "Month of" project gains attention, but isn't that the point?


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

1 comment:

kurt wismer said...

not to put too fine a point on it, but if it's not 'responsible disclosure' then it is irresponsible.

selling to the underground is irresponsible? no it's criminal, it's called being an accessory.

is raising awareness the point? no, not really, the point seem to be using public opinion to force a company to bend to one's will arbitrarily. the company may (unbeknownst to anyone else) be investing it's resources in secure development that could have a profound positive impact on users but their time then gets wasted chasing bugs individual because they have be seen as doing something (regardless of whether or not those bugs would have been an issue once their intended development completed.