AV/FW Adoption Sudies
Eric Rescorla
ekr at rtfm.com
Thu Jun 10 19:23:42 UTC 2004
Valdis.Kletnieks at vt.edu writes:
> On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
>
>> My hypothesis is that the sets of bugs independently found by white
>> hats and black hats are basically disjoint. So, you'd definitely
>> expect that there were bugs found by the black hats and then used as
>> zero-days and eventually leaked to the white hats. So, what you
>> describe above is pretty much what one would expect.
>
> Well.. for THAT scenario to happen, two things have to be true:
>
> 1) Black hats are able to find bugs too
>
> 2) The white hats aren't as good at finding bugs as we might think,
> because some of their finds are leaked 0-days rather than their own work,
> inflating their numbers.
Both of these seem fairly likely to me. I've certainly seen
white hat bug reports that are clearly from leaks (i.e. where
they acknowledge that openly).
> Remember what you said:
>
>> relatively small. If we assume that the black hats aren't vastly more
>> capable than the white hats, then it seems reasonable to believe that
>> the probability of the black hats having found any particular
>> vulnerability is also relatively small.
>
> More likely, the software actually leaks like a sieve, and NEITHER group
> has even scratched the surface..
That's more or less what I believe the situation to be, yes.
I'm not sure we disagree. All I was saying was that I don't
think we have a good reason to believe that the average bug
found independently by a white hat is already known to a
black hat. Do you disagree?
-Ekr
More information about the NANOG
mailing list