Tales from the Crypto

         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

July 10, 2007

Aitel’s "Immunity" keeps bugs alive?

Filed under: General Security,Programmer Hubris @ 9:08 am

A couple of telling paragraphs from a story on Justine Aitel, CEO of Immunity, Inc. (nice to know Dave’s keeping it all in the family, just like we do at Texas Imperial Software):

Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.

“Bugs die when they go public, and they die when they get patched,” she said.

So, by “buying but not disclosing” these bugs, they’re preventing bugs from dying, by that logic – the only avenue left is for the bugs to get patched.

Fortunately, no, because although Immunity’s business model is based largely around keeping the rest of the world in the dark about new vulnerabilities as they notify their customers how to protect against them, it does seem from Microsoft’s Security Bulletins as though they report these vulnerabilities to Microsoft.

I hope Microsoft didn’t have to become a customer in order to get that information, though, because that would mean that it’s Immunity’s policy to keep bugs alive.

What happens if they find a bug in my software? Will I be told?

RSS feed for comments on this post. TrackBack URI

Leave a comment

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs