Every time I see stuff like this (Lynn vs Cisco or Paget vs HID), I can't help but think this: every "whitehat" guy at least knows someone who knows a "blackhat" guy (I am guessing here, but you get the point ... if you think that the above is too extreme replace with "knows someone who knows someone who knows a "blackhat")
Don't companies that try to suppress security research understand that if you do this to a security researcher, even the most ethical guy in the world will be tempted to JUST LEAK IT.
If you corner a rat, it bites. Don't corner security researchers :-) they have bigger teeth... much bigger. You want to suppress the legitimate security research? You think you just did? Go suppress the entire underground now!
2 comments:
Even if every researcher is capable of leaking their work to the underground, I think it's safe to say that pressure to suppress this type of research is effective far more often than it's not. Of course, there's no way to know, since the vendors' advisories don't include whether or not they gagged some partner and for how long.
In my experience, it's pretty much standard practice in partner relationships to disallow the publishing of vulnerabilities without the vendor's blessing. And if that never comes, well...
So to that end, I would say that suppression works at several levels several degrees of magnitude more often than it blows up in the vendor's face. But it's awesome when it does.
Well, if it is indeed contractual ("standard practice in partner relationships to disallow the publishing of vulnerabilities without the vendor's blessing."), then maybe it is OK, but just trying to suppress a conference preso without any prior relationship sounds extreme
Post a Comment