Reckless behavior, or recruiting magic? You decide…

Posted by Jim Stroud

May 2, 2007

I thought that this was interesting. Seems like some analysts at Gartner were debunking the practice of public hacking as a way to promote a project or company. Really? I suppose there are some dangers involved with that (duh!), but a great way to passively recruit engineers working in security? I mean, if they can hack their way into your product, wouldn’t you want them to work for you? Just a thought.

Here is a snippet from the article that had me wondering…

A pair of Gartner analysts Tuesday denounced a recent hack challenge that uncovered a still-unpatched QuickTime bug, calling it “a risky endeavor” and urging sponsors to reconsider such public contests.

The research manager of TippingPoint, the company that paid $10,000 for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties.

Dino Dai Zovi was the first to hack a MacBook Pro at CanSecWest, a Vancouver security conference held two weeks ago. For his trouble, Dai Zovi took home the $10,000 prize offered by TippingPoint’s Zero Day Initiative, a bug bounty program that’s been in operation nearly two years.

Security researchers have called the QuickTime bug, which can be exploited through any Java-enabled browser, “very serious.” Apple has yet to patch — or announce when it will patch, the vulnerability.

“Public vulnerability research and ‘hacking contests’ are risky endeavors and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements,” said analysts Rich Mogull and Greg Young in a research note published by Gartner on Monday.

READ: Gartner: Hacking contests bad for business.