[Dailydave] software security, disclosure, and bug bounties

Michal Zalewski lcamtuf at coredump.cx
Mon Nov 24 17:46:02 EST 2014

Yes; to be perfectly clear - I sent my response somewhat hastily, but
I am not arguing that good design practices, system-level mitigations,
or secure-by-default coding frameworks do not matter. In fact, in many
cases, they matter more than finding bugs.

I can say this from experience; in all the places I worked at so far,
the only scalable way to do security was to make it hard for
developers to shoot themselves in foot; fuzzing and bug-hunting is
added as a cherry on top, but not as a substitute for having a
competent security program to start with.

On the flip side, I am somewhat unhappy by the "bugs don't matter"
mantra that is making rounds within the industry over the past few
years. The claim that finding individual bugs in suspected-bad
software is a waste of time seems like an extension of that.

I think that arguments like that ignore the complex realities of
"commodity" software engineering (including the sometimes wobbly
foundations everybody is building on top of), and the fact that the
mitigations at our disposals are often imperfect or difficult to
retrofit. I also feel that bug-hunting in less-robust software
generally isn't as expensive as portrayed, can take out the
low-hanging fruit pretty comprehensively and immediately, and provides
a more fertile ground for systemic improvements later on.

So, in my view, the value of squashing individual bugs, even in
something like ffmpeg, is pretty clear.


More information about the Dailydave mailing list