North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: AV/FW Adoption Sudies
[email protected] writes: > On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said: > >> My hypothesis is that the sets of bugs independently found by white >> hats and black hats are basically disjoint. So, you'd definitely >> expect that there were bugs found by the black hats and then used as >> zero-days and eventually leaked to the white hats. So, what you >> describe above is pretty much what one would expect. > > Well.. for THAT scenario to happen, two things have to be true: > > 1) Black hats are able to find bugs too > > 2) The white hats aren't as good at finding bugs as we might think, > because some of their finds are leaked 0-days rather than their own work, > inflating their numbers. Both of these seem fairly likely to me. I've certainly seen white hat bug reports that are clearly from leaks (i.e. where they acknowledge that openly). > Remember what you said: > >> relatively small. If we assume that the black hats aren't vastly more >> capable than the white hats, then it seems reasonable to believe that >> the probability of the black hats having found any particular >> vulnerability is also relatively small. > > More likely, the software actually leaks like a sieve, and NEITHER group > has even scratched the surface.. That's more or less what I believe the situation to be, yes. I'm not sure we disagree. All I was saying was that I don't think we have a good reason to believe that the average bug found independently by a white hat is already known to a black hat. Do you disagree? -Ekr
|