Thor Lancelot Simon <[EMAIL PROTECTED]> writes: > On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote: >> in the paper. >> >> Roughly speaking: >> If I as a White Hat find a bug and then don't tell anyone, there's no >> reason to believe it will result in any intrusions. The bug has to > > I don't believe that the premise above is valid. To believe it, I think > I'd have to hold that there were no correlation between bugs I found and > bugs that others were likely to find; and a lot of experience tells me > very much the opposite.
The extent to which bugs are independently rediscovered is certainly an open question which hasn't received enough study. However, the fact that relatively obvious and serious bugs seem to persist for long periods of time (years) in code bases without being found in the open literature, suggests that there's a fair amount of independence. -Ekr --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
