Two On Vulnerability Disclosure

  • Ed Moyle has a very good post, “Inside Oracle’s Patch Kimono,” in which he compares Oracle’s process for working with vulnerability researchers with that of Microsoft. I’d like to add two really small bits: First, I’d have compared to the (MS-dominated) Organization for Internet Safety, and second, all of these put insufficient value on secondary and tertiary research uses of vulnerability data.
  • Speaking of secondary uses, don’t miss important research by Tom Ptacek about a design feature security bypass oh, heck, a battery died, and look what happens: “Authentication Bypass in Volvo 850 Stereo System v1994.” (Design note to self: When selling to Tom, ensure all batteries have a twenty-year lifespan so this doesn’t happen to us.)
  • Lastly, thanks to Pete Lindstrom who gave me a heads up about Notre Dame before Chris blogged it.