[32494] in bugtraq
RE: Security researchers organization
daemon@ATHENA.MIT.EDU (Jeremy Epstein)
Wed Nov 19 18:31:11 2003
Message-ID: <5B10E50E14A4594EB1B5566B69AD940702B96536@maileast>
From: Jeremy Epstein <jeremy.epstein@webmethods.com>
To: bugtraq@securityfocus.com, ntbugtraq@ntbugtraq.com
Date: Wed, 19 Nov 2003 09:37:46 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="ISO-8859-1"
I like the idea of this, but am concerned by the terminology.
<flame-bait>
What's being proposed is an organization of *vulnerability* researchers.
There are MANY other kinds of security researchers, including those who
design new forms of access controls, security models, intrusion detection
systems, security tools, etc. Security researchers publish results in
peer-reviewed conferences and journals, and their goal is to improve
understanding of security and provide mechanisms and tools.
Vulnerability researchers are focused on finding vulnerabilities in existing
software, which is a valuable contribution. While there's substantial
overlap in end goals, they (mostly) don't design security systems. And they
very rarely publish results in peer-refereed conferences and journals.
So in defining this organization, let's not call it something it isn't. One
isn't better or worse than the other, but they're not the same thing.
</flame-bait>
--Jeremy
