By making coding flaws public, are security researches exposing us all to unnecessary risk?
To many software makers and security consultants, flaw finder David Aitel is irresponsible.
The 20-something founder of vulnerability assessment company Immunity hunts down security problems in widely used software products. But unlike an increasing number of researchers, he does not share his findings with the makers of the programs he examines.
Last week, Immunity published an advisory highlighting four security holes in Apple Computer's Mac OS X -- vulnerabilities that the company had known about for seven months but had kept to itself and its customers.
"I don't believe that anyone has an obligation to do quality control for another company," Aitel said. "If you find out some information, we believe you should be able to use that information as you wish."
Posted by volubis at January 26, 2005 12:18 AM