Security experts have hit out at US firm Immunity Inc, which provides paid-up members with vulnerability information under non-disclosure agreements (NDA), which it subsequently keeps from vendors and the world at large.<\/p>\n","protected":false},"excerpt":{"rendered":"
A silicon.com article (http:\/\/software.silicon.com\/security\/0,39024655,39128296,00.htm) revealed Immunity and its founder Dave Aitel have been causing a stir in the security world in recent months with a business model branded “unethical” but entirely above-board. The greatest source of growing concern appears to focus on the NDA and the potential for anybody to sign up and pay the price for notification of vulnerabilities.<\/p>\n
One rival bug finder, who operates along the more traditional lines of informing the affected vendor of the flaw in its product and working with them to patch it before releasing any details of the vulnerability, has hit out at Immunity Inc. Drew Copley, senior research engineer at eEye Digital Security, told silicon.com the situation of signing members to a non-disclosure agreement in return for information on security vulnerabilities is “extremely unethical”. Simon Perry, VP security strategy at CA, told silicon.com: “Knowledge cannot be effectively controlled. “NDAs in the IT community as a whole are not taken seriously and there do not appear to be adequate controls to ensure that the information does not leak to those who have an interest in creating a dangerous exploit. It does not improve security overall,” he added.<\/p>\n
Perry also questioned whether Aitel’s customers are getting value for money. Because vendors are kept out of the loop, flaws go un-patched while Immunity’s customers are given a workaround. “You’re given a workaround by Immunity, but you don’t have a fix — a patch from the vendor that permanently addresses the problem.<\/p>\n
http:\/\/software.silicon.com\/security\/0,39024655,39128621,00.htm<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-632","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=632"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/632\/revisions"}],"predecessor-version":[{"id":3119,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/632\/revisions\/3119"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}