By Dan Goodin in San Francisco
23rd April 2010
Updated - In an official blog post, an employee in Verizon's Risk
Intelligence unit has taken aim at researchers who disclose security
flaws, calling them "Narcissistic vulnerability pimps" and comparing
them to criminals.
"Have you ever heard of a terrorist referred to as a 'demolition
engineer?'" the unnamed author of the rant asked, one presumes
rhetorically. "How about a thief as a 'locksmith?' No? Well, that's
because most fields don't share the InfoSec industry's ridiculous yet
long-standing inability to distinguish the good guys from the bad guys."
The post goes on to propose that a person who discloses security flaws
henceforth be labeled a "narcissistic vulnerability pimp," which the
writer defines as "One who - solely for the purpose of
self-glorification and self-gratification - harms business and society
by irresponsibly disclosing information that makes things less secure."
Besides befuddling all the men in leopard fur coats and feather-laced
hats, this comparison is problematic for other reasons. As the recent
Pwn2Own contest made abundantly clear, software makers can't be counted
on to secure their products, at least not on their own. Security
researchers armed with real-world vulnerabilities provide an important
check on internal security teams and give them a powerful incentive to
be thorough in finding bugs and swift in fixing them.
Best Selling Security Books and More!
Shop InfoSec News