Thursday, May 22, 2008

Face-Off: Is vulnerability research ethical?

Security Experts Bruce Schneier & Marcus Ranum Offer Their Opposing Points of View

Of course, the topic of "vulnerability research" is really hot topic nowadays. Bruce Schneier and Marcus Ranum sound off in a Point-Counterpoint column on the ethics of vulnerability research. It's really interesting and worth reading debate between the two security experts.

This is the question which every security expert is looking for the answer, Is vulnerability research ethical?

Not only do we still have buffer overflows, I think it's safe to say there has not been a single category of vulnerabilities definitively eradicated. That's where proponents of vulnerability "research" make a basic mistake: if you want to improve things, you need to search for cures against categories of problems, not individual instances. In general, the state of vulnerability "research" has remained stuck at "look for one more bug in an important piece of software so I can collect my 15 seconds of fame, a 'thank you' note extorted from a vendor, and my cash bounty from the vulnerability market." That's not "research," that's just plain "search."I especially like that last line: "That's not 'research,' that's just plain 'search.'
Every security expert will have different opinion to this question. It is really interesting to read the two security expert debating on this topic.

