tag:blogger.com,1999:blog-14114712.post2483809992277160625..comments2024-03-03T02:04:07.138-08:00Comments on ADD / XOR / ROL: Why are most researchers not a fan of standards on "responsible disclosure"halvar.flakehttp://www.blogger.com/profile/12486016980670992738noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-14114712.post-52540583527465777412009-11-15T18:47:30.534-08:002009-11-15T18:47:30.534-08:00>I am not sure whether I should post this.
You...>I am not sure whether I should post this.<br /><br />You shouldn't. Because then you may have a hard time in the future getting contracts and stuff.<br /><br />See, if you know the basic thing about economics, if very obvious that for a individual researcher, responsible disclosure is against their interests.<br /><br />Full and responsible disclosure are in place because the industry realized that building good software is complicated and expensive, and is a way to reduce cost employing cheap programmers and making people report bugs for free.<br /><br />Makes all the sense of the world if you have a business that builds software. But it's in direct conflict with the interests of programmers and researchers, the firsts being replaced with cheap code-monkeys that churns one bug per function, and the seconds forced to give up their work for free.<br /><br />In fact, I maybe wrong, but I'm pretty sure that there are laws about this kind of price-fixing behavior, because enterprises do this kind of thing constantly in other fields.Unknownhttps://www.blogger.com/profile/01058006608728478408noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-6664464016424734582009-11-15T16:54:36.094-08:002009-11-15T16:54:36.094-08:00100% Right on the money. (pun intended)100% Right on the money. (pun intended)Vikram Phatakhttps://www.blogger.com/profile/16376351463002260076noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-79826042889979267942009-11-15T16:54:17.063-08:002009-11-15T16:54:17.063-08:00Great Post.
The analogy to Anti-Virus will alway...Great Post. <br /><br />The analogy to Anti-Virus will always break down, though. These guys have a "guild" where they share information with each other and the respected vendors but not with the world. It's a very unique structure that comes in part to raise a barrier from competitors coming in swiftly.<br /><br />I think the answer, rather than parallel it to AV, is to create a "researcher guild" that will be strong enough to create researcher-oriented rules which will set the standard. Researchers can then say they were "following industry standards" which is what the AV companies are saying when asked why malware is being exchanged freely among them.Aviram Jenikhttps://www.blogger.com/profile/09833424614994949507noreply@blogger.comtag:blogger.com,1999:blog-14114712.post-29597736275853005302009-11-15T16:53:12.018-08:002009-11-15T16:53:12.018-08:00100% Right on the money. (Pun intended)100% Right on the money. (Pun intended)Vikram Phatakhttps://www.blogger.com/profile/16376351463002260076noreply@blogger.com