AV/FW Adoption Sudies

• Previous message (by thread): AV/FW Adoption Sudies
• Next message (by thread): AV/FW Adoption Sudies
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieks at vt.edu writes:

> On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
>
>> My hypothesis is that the sets of bugs independently found by white
>> hats and black hats are basically disjoint. So, you'd definitely
>> expect that there were bugs found by the black hats and then used as
>> zero-days and eventually leaked to the white hats. So, what you
>> describe above is pretty much what one would expect.
>
> Well.. for THAT scenario to happen, two things have to be true:
>
> 1) Black hats are able to find bugs too
>
> 2) The white hats aren't as good at finding bugs as we might think,
> because some of their finds are leaked 0-days rather than their own work,
> inflating their numbers.

Both of these seem fairly likely to me. I've certainly seen
white hat bug reports that are clearly from leaks (i.e. where
they acknowledge that openly).

> Remember what you said:
>
>> relatively small. If we assume that the black hats aren't vastly more
>> capable than the white hats, then it seems reasonable to believe that
>> the probability of the black hats having found any particular
>> vulnerability is also relatively small.
>
> More likely, the software actually leaks like a sieve, and NEITHER group
> has even scratched the surface..

That's more or less what I believe the situation to be, yes.

I'm not sure we disagree. All I was saying was that I don't
think we have a good reason to believe that the average bug
found independently by a white hat is already known to a
black hat. Do you disagree?

-Ekr

• Previous message (by thread): AV/FW Adoption Sudies
• Next message (by thread): AV/FW Adoption Sudies
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]