A treatise on vulnerability discovery and disclosure

by Anton Chuvakin

Related link: http://www.eeye.com/~data/publish/whitepapers/research/OT20050512.FILE.pdf

I would not call something a "treatise" just because it sounds cool :-) It is really a comprehensive paper on modern vulnerability discovery and disclosure landscape. It even mentions 'vulnerability sharing clubs' and other recent developments in the space.

I especially like this quote that should be read and reread by those who incessantly blabber about "staying ahead of the hackers": "Zero day vulnerabilities are in frequent use among the hacker community. After being used for a period of time, zero days are either sold to security research organisations, who 'ethically disclose' them to the vendor, or simply shared with a wider and wider circle until they become public."