-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Crispin Cowan <crispin@immunix.com> wrote: > A subtle distinction may be the root cause here: Sardonix seeks to > change the research model from "find a bug, win a prize! (fame & glory > for half a day)" to "audit software, report what you find, and win a > reputation for the long term." Having a pile of audited software is > *much* more useful to admins than an endless stream of "gotcha again!" > advisories. But from the lack of response from security investigators, I > conjecture that "find a bug, win a prize!" is more fun to do, and so > that's what investigators choose to do. Hmm... I'd say that from the admin's perspective, the main problem with the "find a bug, win the right to publish an advisory" system of non-monetary rewards for finding security vulnerabilities is that it tends to happen only after the software in question is widely deployed, so that the endless stream of "gotcha again!" advisories means endlessly having to upgrade the same software over and over again. How should I go about trying to find people who are skilled in the area of finding security bugs, and who would be willing to have a good look at key components of DotGNU (see http://dotgnu.org ) before they're widely deployed? In particular, right now it'd be good to have skilled "security review" help with DotGNU Portable.NET in these areas: * checking the adherence of the bytecode verifier to the published spec and security conditions * range-checking of all values that need it * environmental security - controlling access to system facilities such as files, network, preferences, etc We're interested both in documentation of problems, as well as in documentation of things that are not problems. Discussion of these and related matters is welcome on the pnet-developers mailing list, see http://dotgnu.org/mailman/listinfo/pnet-developers . Nota bene, we're aware that Portable.NET still lacks certain security features, especially in the area of environmental security, and we can use help with identifying all of the places where security will need tightening for both app usage and applet usage. Greetings, Norbert. - -- Founder & Steering Committee member of http://gnu.org/projects/dotgnu/ Free Software Business Strategy Guide ---> http://FreeStrategy.info Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland) Tel +41 1 972 20 59 Fax +41 1 972 20 69 http://norbert.ch -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/vAiZoYIVvXUl7DIRAuQXAJ9OEk01Y9PfH+mdhhHkwlOq4H7U+wCff8E+ DqUw0XnUW6NkaBycJ180q0U= =PUiL -----END PGP SIGNATURE-----
