My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure:
I think that Dave has a valid point here, but not all interesting security bugs are on corporate networks. A no-credential overflow in the new Doom, for example, would create tens of thousands of new zombie machines, and is broadly relevant. (Not to mention the number of work machines used for blowing off steam after hours. In violation of policy of course.)
I’m curious: If we want these bug hunters to be more useful to us, how can we encourage them to find better bugs?
[Update: More in response to Pete Lindstrom’s comments in a Nov 13 post.]