----- Original Message ----- From: "Eric Rescorla" <ekr@rtfm.com>
Paul G <paul@rusko.us> wrote:
----- Original Message ----- From: "Eric Rescorla" <ekr@rtfm.com>
-- snip ---
If we assume that the black hats aren't vastly more capable than the white hats, then it seems reasonable to believe that the probability of the black hats having found any particular vulnerability is also relatively small.
and yet, some of the most damaging vulns were kept secret for months before they got leaked and published. i won't pretend to have the answer, but fact remains fact.
I don't think that this contradicts what I was saying.
My hypothesis is that the sets of bugs independently found by white hats and black hats are basically disjoint. So, you'd definitely expect that there were bugs found by the black hats and then used as zero-days and eventually leaked to the white hats. So, what you describe above is pretty much what one would expect.
there is a fair chance that the same bug will be found if several people audit the same piece of code, such as a very widespread, high profile piece of software. in fact, i know of at least one serious bug that was discovered independently by two different groups of people. in general, however, what you are saying makes complete sense. paul