David Piscitello says he is getting more and more annoyed with Bugtraq reports that have absolutely nothing to do with enterprise security - to the point where he's written to some of the bug finders to ask why he should care about the flaw they found:
The exchange I had with one wannabe who posted a report of a buffer overflow in a 2001 version of a PC game on Windows 98SE is indicative of the problem:Back to Compendium
Dave: "What practical consequence does this bug have for someone operating a large business network?
Wannabe: "Nothing, this game is not so much diffused and in a "large business network" the people should do their job, not play with games (except if the company is a software house that develops games)."
Dave: "The game's 4 years old, and wasn't a very good one. What's the attack vector for this game? Think of all the conditions that have to fall into place to compromise one home computer. It's too improbable to bother reporting, and the vendor is not going to invest a penny to fix it. So who benefits from the report?"
Post a comment
