The Ethics of Vulnerability Research

Mistakes? I don't think so. People program in a certain manner and many times don't have the clairvoyance of being able to know all flaws beforehand (or they are otherwise too lazy to think them out). Programmers DO NOT update software unless a change is requested or something goes bump in the night. "Optimization" is NOT ongoing nor the expected destination no matter what management or the vendors say.

 

Knowing that there will always be someone who will take advantage of a weakness in an OS to cause mischief , and if a programmer does not realize this weakness then it is a mistake of omission. ONLY AN OMNISCIENT PROGRAMMER CAN CREATE A MISTAKE LESS OS!!!

All others must accept attacks sooner or later.

 

Source : http://www.mcafee.com/us/local_content/white_papers/wp_ricochetbriefbuffer.pdf

 

OpenBSD tried to do code audits and that was abandoned.

 

We have version tracking as part of software development. That was instituted to prevent confusion when you updated programs. Of course, I NEVER got confused about my programs and think this mandatory adjunct system is a nuisance.

 

Is there research on whether it's more a case of new programs entering the market are more of a target (which would affect generally a smaller number of people) or is it always the established programs (microsoft) with a larger market share?