> From: Russ [mailto:Russ.Cooper@rc.on.ca] > (Was: Vulnerability Disclosure Formats (was "Re: Funny article")) > <snip http://tinyurl.com/ve83> > Thor Larholm proposed the idea of a "Union" to me. While I don't like > the concept of union's in this day and age, our field is one that > could benefit from such an idea wrt discoverers. They are far too > often bashed (and I have been guilty of this), and often not > recognized for what they do. Whenever I talk about this issue, wording becomes an issue :) "Union" is undoubtedly the wrong phrase. What I would like to see created is an organization that would promote and protect the interests of security researchers, plain and simple. There is currently no organization that exists solely to guide, help and represent security researchers on a larger scale, yet we can all recognize the need. We have all seen organizations, proposals and disclosure guidelines that are created by vendor for vendors, by governments for governments, even by staticians for staticians. All of these provide little to no incentive for most researchers to undertake extensive requirements, particularly for non-corporate based researchers that do not strive to put a standards label on their scoreboard. All of these fail to aid and simplify the work required of any researcher who has already voluntarily spent a considerable amount of their time to review, assess and understand the intricate processes of the vendors product, sometimes better than the vendor itself. All of this is particularly important to remember as the vast majority of researchers are reporting vulnerabilities on a completely voluntary, non-contractual, non-commissioned basis, freely helping the vendor to secure their products. Helping establish contact with vendors, crediting the work of researchers, offering assistance and third party review, leveraging the knowledge of experienced researchers, lobbying against anti-research legislation, even acting as a proxy between researcher and vendor when the researcher so desires (more often than not out of fear of legal reprimande from the vendor) - there are so many ways that we could benefit from an organization created by researchers for researchers. A lot of people have proposed organizations that deal with one or another of these aspects, though not all. Most recently, Mark Rasch proposed an ISAC (Information Sharing and Analysis Center) like the IT industry, telecommunications industry and banking industry has ( http://www.securityfocus.com/columnists/197 ). A security researchers organization could not only advance such ideas as parts of its operations, but even apply the sufficient representation and lobbying of thousands of organized researchers to establish concepts such as bug bounties as Mark suggests. We are a wide, international and differing group of researchers, some with malicious and others with altruistic intents for finding security vulnerabilities. Despite our differences we have much in common - we are deeply interested in advancing our knowledge of security and information technology, we find vulnerabilities, we want the vendor to know about these at some point in time and we want to be accredited for our findings. These are all common ideals we can agree and act upon, without having to be of the same persuasion about which disclosure policy is the best. Just as the uniting workers of the last century organizing worker unions, we are a differing group of individuals with common goals to fight for. We want our work to be respected and valued, we want credibility and influence. Establishing an organization that represents security researchers is not just for the good of researchers themselves, it is for the good of the community and industry as a whole. The vendors would most definitely benefit from an organization such as this, suddenly being able to approach and debate with a single organization representing thousands of individual researchers as opposed to the status quo of debating guidelines with thousands of disparate individuals - the latter essentially being a moot point. I have talked with a variety of seasoned security professionals about this idea, and everybody recognizes the need. With the proper backing and support, I can most definitely see such an organization take root and I am more than willing to help in any such effort. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com thor@pivx.com 949-231-8496 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net>
