>>(hacker) ..It used to be a revered term.

Still is where I'm standing 🙂

>>It's actually a question of motive:

>>Security Researcher - looks for

>> vulnerabilities, is generally responsible

>> about reporting them to the appropriate

>> ..... the fact that some practice open

>> disclosure blurs this. Generally,

>> therefore, someone who investigates,

>> finds, and reports.

You are eloquent and on the money as always. I've a lot of respect for not only the skills, but also the morality of a lot of the players here (an example being e-eye).

Even open disclosure, with all its perils -- particularly when the disclosure comes in the form of a ready-rolled exploit + readme for dummies -- is better than allowing companies to "get away" with security through obscurity.

What I wonder about is the business model for some of these "researchers", and the obvious potentials for conflict of interest (The AV crowd being probably the most obvious, but let's leave them for a moment). How do you make cash from your research, assuming that you follow decent disclosure process? Microsoft have started giving "props" in the documentation of their patch documentation, but this is surely only valuable as a marketing tool.

Do you work as consultants to corporate clients -- tipping off your clients ahead of time? Does that model really work if everybody knows that you will not make your work public until there is a fix? Are you tempted to "demonstrate" the power of an exploit -- particularly if you get frustrated with the response of an ISV?

Is the advertising value cost effective simply to generate premium-priced security-audit/consultancy work?

Any views? Anyone worked in this field, and made it pay (or otherwise?)

Edited by - planet115 on 07/01/2003 12:34:12 PM