Ed Moyle has a very good post, “Inside Oracle’s Patch Kimono,” in which he compares Oracle’s process for working with vulnerability researchers with that of Microsoft. I’d like to add two really small bits: First, I’d have compared to the (MS-dominated) Organization for Internet Safety, and second, all of these put insufficient value on secondary and tertiary research uses of vulnerability data.
Speaking of secondary uses, don’t miss important research by Tom Ptacek about a design featuresecurity bypass oh, heck, a battery died, and look what happens: “Authentication Bypass in Volvo 850 Stereo System v1994.” (Design note to self: When selling to Tom, ensure all batteries have a twenty-year lifespan so this doesn’t happen to us.)
Lastly, thanks to Pete Lindstrom who gave me a heads up about Notre Dame before Chris blogged it.
