About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE Community

Editorial Board
Mail List & Meetings Archive
Roles, Tasks, & Qualifications
Adding New Members
Sponsor

CVE In Use

CVE Compatible Products and Services
More . . .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey

To: aleph1@securityfocus.com
Subject: Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
From: "Marcus J. Ranum" <mjr@nfr.net>
Date: Thu, 21 Sep 2000 14:19:10 -0400
Cc: Adam Shostack <adam@HOMEPORT.ORG>, "Steven M. Christey" <coley@linus.mitre.org>, cve-editorial-board-list@lists.mitre.org
Delivery-Date: Thu Sep 21 14:23:54 2000
In-Reply-To: <20000921094133.A28006@securityfocus.com>
References: <4.3.1.2.20000921094157.00a87870@fraggle.nfr.net><200009210010.UAA29952@teagarden.mitre.org><200009210010.UAA29952@teagarden.mitre.org><20000921093619.A11255@weathership.homeport.org><4.3.1.2.20000921094157.00a87870@fraggle.nfr.net>

aleph1@securityfocus.com wrote:
>Given that people cannot make money from disclosing vulnerabilities
>(that would be called blackmail), other than desire of helping
>the world be a more secure place, credit is the only incentive people
>have to disclose vulnerabilities.

I see. At least someone's willing to be honest about what's
going on. So the whole purpose is as a means of marketing
oneself? 

Am I the only person who finds this a rather thin, lame
justification?

>People need some type of remuneration for their work even if its not
>a financial one.

I see. Ego-gratification?

That's the reason I raised this issue. If folks are really
considering using cryptographic hashes and whatnot, just to
protect their ego-bragging rights, that seems like massive
technological overkill for what's really a social problem.

I.e.: "grow up, guys."

>  Maybe you'd like to stop charging money for NFR, and
>if I recall correctly you weren't particularly trilled when people took
>copies of the firewall toolkit, your work, and sold it as a commercial
>product without giving you any credit.

There's no similarity at all. I sell a product. It has tangible
value. Not ego value, not marketing value.

>The world is such a cruel place.

It's only a cruel place if you're willing to tolerate such
behavior, Aleph.

mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work:                  http://www.nfr.net
Personal:              http://www.ranum.com

Follow-Ups:
- Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
  - From: Pascal Meunier <pmeunier@purdue.edu>
- Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
  - From: aleph1@securityfocus.com

References:
- Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
  - From: "Marcus J. Ranum" <mjr@nfr.net>
- [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
  - From: "Steven M. Christey" <coley@linus.mitre.org>
- Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
  - From: Adam Shostack <adam@homeport.org>
- Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
  - From: aleph1@securityfocus.com

Prev by Date: Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
Next by Date: Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
Prev by thread: Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
Next by thread: Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007