Hacking Contests: See No Evil, Hear No Evil
Are 'hacking contests'--events where companies offer prizes to users who can uncover software vulnerabilities--a threat to security? Gartner thinks so. But is it being quick to judge?
May 11, 2007
Can plugging a security vulnerability ever be a bad thing? We'd argue no; others, including Gartner, disagree.
At issue are hacking contests, where a company posts a bounty to encourage people to uncover software vulnerabilities, so they can ultimately be closed. Gartner recently pointed to two hacking contests--a Mac one at CanSecWest and an event that discovered an Apple QuickTime flaw--and said "conducting vulnerability research in a public venue is risky and could lead to mishandling or treating too lightly these vulnerabilities."
As someone who has participated in such contests, I disagree. When a vulnerability is found and publicly announced, what's the downside? The hole is there regardless--indeed, the event uncovers it. How is this more dangerous than not running the contest and hoping the bad guys wouldn't have found it first? --Jordan Wiens, [email protected]
Read more about:
2007You May Also Like