I’ve been captivated this week by the ongoing Pwn2Own security competition. Pwn2Own offers prizes to security researchers for demoing zero-day exploits for popular software. On Day 1, researchers demonstrated holes in Firefox, Internet Explorer, Safari, and the iPhone. The unwritten rules of legitimate security research demand that before disclosing security holes publicly, security researchers notify the vendors so that they have a reasonable opportunity to release patches. The story I linked to says as much:
So far, little is known about the successful exploits. Until vendors have been informed of the flaws and those flaws have been patched, details will not be made public.
Three time winner Charlie Miller is going with a different approach this time around. He’s not going to disclose the holes he found in hopes of motivating the vendors to get better at finding bugs themselves.
I once had a contract job in which I was on a team that audited Web applications for potential security holes. Nearly all of the problems we found were related to poor input validation and sanitization. Unsurprisingly, that’s how Miller finds bugs as well. He has a program that generates a wide range of bad input and looks for the applications to break in interesting ways.
Sounds like Apple, Microsoft, and Mozilla should invite him over to give some guest talks.