Linux Today: Linux News On Internet Time.

Help Net Security: A Comment on Bugtracking

Sep 02, 2001, 10:26 (6 Talkback[s])
(Other stories by Markus Triska)

[ Thanks to LogError for this link. ]

"The point is that I really appreciate the work of bughunters. Of course I would like to know as soon as possible whether the programs I use have security flaws. I'm honestly thankful for every bug that someone finds in my programs. I also understand the greed for being the first to report a bug.

On the other hand, if I discovered a bug, I would think very carefully if I should not inform the author before I submit a report to a security-site on the net. For what do you gain - except being first - when suddenly everyone knows the bug, but no alternative is available? Would it then not have been better if the author had had a few days more to work without pressure on a clean solution? Why not live in Acknowledgements and Thanks-sections in place of spiteful dreams of angry programmers who introduce new bugs while panically fixing the old?

A note on bugtracking-lists: Everyone can blindly copy every announcement and report from the net, bundle and publish them. Even a program can do that. But what is it good for? Do you really excpect someone to learn a list by heart in order to say someday: "CGIForum? Hm, wait---yes, I once saw it in a bugtracking-list. Don't use it.'' To my mind, it's more likely that a person who wants to use a program will do some research on the web anyway. In this case, a list which offers minimal information per package, but this in great density, buys you exactly nothing."

Complete Story

Related Stories: