Security researchers organization

From: Thor Larholm (thor_at_PIVX.COM)
Date: 11/17/03

  • Next message: http-equiv_at_excite.com: "Re: Security researchers organization" 
    Date:         Mon, 17 Nov 2003 13:09:46 -0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    > From: Russ [mailto:Russ.Cooper@rc.on.ca]
    > (Was: Vulnerability Disclosure Formats (was "Re: Funny article"))
    > <snip http://tinyurl.com/ve83>
    > Thor Larholm proposed the idea of a "Union" to me. While I don't like
    > the concept of union's in this day and age, our field is one that
    > could benefit from such an idea wrt discoverers. They are far too
    > often bashed (and I have been guilty of this), and often not
    > recognized for what they do.

    Whenever I talk about this issue, wording becomes an issue :)

    "Union" is undoubtedly the wrong phrase. What I would like to see
    created is an organization that would promote and protect the interests
    of security researchers, plain and simple. There is currently no
    organization that exists solely to guide, help and represent security
    researchers on a larger scale, yet we can all recognize the need.

    We have all seen organizations, proposals and disclosure guidelines that
    are created by vendor for vendors, by governments for governments, even
    by staticians for staticians. All of these provide little to no
    incentive for most researchers to undertake extensive requirements,
    particularly for non-corporate based researchers that do not strive to
    put a standards label on their scoreboard. All of these fail to aid and
    simplify the work required of any researcher who has already voluntarily
    spent a considerable amount of their time to review, assess and
    understand the intricate processes of the vendors product, sometimes
    better than the vendor itself. All of this is particularly important to
    remember as the vast majority of researchers are reporting
    vulnerabilities on a completely voluntary, non-contractual,
    non-commissioned basis, freely helping the vendor to secure their
    products.

    Helping establish contact with vendors, crediting the work of
    researchers, offering assistance and third party review, leveraging the
    knowledge of experienced researchers, lobbying against anti-research
    legislation, even acting as a proxy between researcher and vendor when
    the researcher so desires (more often than not out of fear of legal
    reprimande from the vendor) - there are so many ways that we could
    benefit from an organization created by researchers for researchers.

    A lot of people have proposed organizations that deal with one or
    another of these aspects, though not all. Most recently, Mark Rasch
    proposed an ISAC (Information Sharing and Analysis Center) like the IT
    industry, telecommunications industry and banking industry has (
    http://www.securityfocus.com/columnists/197 ). A security researchers
    organization could not only advance such ideas as parts of its
    operations, but even apply the sufficient representation and lobbying of
    thousands of organized researchers to establish concepts such as bug
    bounties as Mark suggests.

    We are a wide, international and differing group of researchers, some
    with malicious and others with altruistic intents for finding security
    vulnerabilities. Despite our differences we have much in common - we are
    deeply interested in advancing our knowledge of security and information
    technology, we find vulnerabilities, we want the vendor to know about
    these at some point in time and we want to be accredited for our
    findings. These are all common ideals we can agree and act upon, without
    having to be of the same persuasion about which disclosure policy is the
    best. Just as the uniting workers of the last century organizing worker
    unions, we are a differing group of individuals with common goals to
    fight for. We want our work to be respected and valued, we want
    credibility and influence.

    Establishing an organization that represents security researchers is not
    just for the good of researchers themselves, it is for the good of the
    community and industry as a whole. The vendors would most definitely
    benefit from an organization such as this, suddenly being able to
    approach and debate with a single organization representing thousands of
    individual researchers as opposed to the status quo of debating
    guidelines with thousands of disparate individuals - the latter
    essentially being a moot point.

    I have talked with a variety of seasoned security professionals about
    this idea, and everybody recognizes the need. With the proper backing
    and support, I can most definitely see such an organization take root
    and I am more than willing to help in any such effort.

    Regards

    Thor Larholm
    Senior Security Researcher
    PivX Solutions
    24 Corporate Plaza #180
    Newport Beach, CA 92660
    http://www.pivx.com
    thor@pivx.com
    949-231-8496

    PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
    Qwik-Fix <http://www.qwik-fix.net>

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: http-equiv_at_excite.com: "Re: Security researchers organization"