"In a recent paper titled "Teaching an Old Dog New
Tricks," security guru Marcus Ranum argues that independent "security
researchers" who spend their time constantly looking for security bugs
are a drain on the security community. He even has a name for these
people: vulnerability pimps.
He thinks that if these people were really serious about
security they would join product security teams at the vendors and
eschew their 15 seconds of fame on CNN or at DEFCON.
Marcus does not approve of releasing any information at all
about bugs that will place people at risk, regardless of other reasons.
And he practices what he preaches. When he recently used Fortify to
discover a number of exploitable buffer overflows in the venerable fwtk
firewall toolkit (which he helped to create back in the Pleistocene
era), he didn’t gleefully run to the press or even write the exploits
up for bugtraq. Instead, he contacted the owners of the appropriate
modules and told them what he had found. "
This article touches on MANY good points and is well worth the read.
Article Link:
http://www.darkreading.com/document.asp?doc_id=118174
