[Dailydave] software security, disclosure, and bug bounties

Dave Aitel dave at immunityinc.com
Tue Nov 25 14:28:58 EST 2014

The "Bugs don't matter" mantra is probably a standard side effect of
people trying to outlaw exploits. Sadly, these people are weirdly doing
so within the auspices of civil liberties.

Of course, it is hard to disagree that the fuzzing and work you've been
doing on FFMPEG and friends is not going to have an impact (I decline to
say positive or negative here ;>). However, it is possible that
something like the Linux/Windows/Hypervisor-of-your-choice Kernel is
beyond the reach of this sort of behavior. 


On 11/24/2014 5:46 PM, Michal Zalewski wrote:
> Yes; to be perfectly clear - I sent my response somewhat hastily, but
> I am not arguing that good design practices, system-level mitigations,
> or secure-by-default coding frameworks do not matter. In fact, in many
> cases, they matter more than finding bugs.
> I can say this from experience; in all the places I worked at so far,
> the only scalable way to do security was to make it hard for
> developers to shoot themselves in foot; fuzzing and bug-hunting is
> added as a cherry on top, but not as a substitute for having a
> competent security program to start with.
> On the flip side, I am somewhat unhappy by the "bugs don't matter"
> mantra that is making rounds within the industry over the past few
> years. The claim that finding individual bugs in suspected-bad
> software is a waste of time seems like an extension of that.
> I think that arguments like that ignore the complex realities of
> "commodity" software engineering (including the sometimes wobbly
> foundations everybody is building on top of), and the fact that the
> mitigations at our disposals are often imperfect or difficult to
> retrofit. I also feel that bug-hunting in less-robust software
> generally isn't as expensive as portrayed, can take out the
> low-hanging fruit pretty comprehensively and immediately, and provides
> a more fertile ground for systemic improvements later on.
> So, in my view, the value of squashing individual bugs, even in
> something like ffmpeg, is pretty clear.
> /mz
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141125/41828791/attachment.sig>

More information about the Dailydave mailing list