Redefining "Security Researcher"


April 22nd, 2010

Have you ever heard of a terrorist referred to as a "demolition engineer?" How about a thief as a "locksmith?" No? Well, that's because most fields don't share the InfoSec industry's ridiculous yet long-standing inability to distinguish the good guys from the bad guys. Perhaps we're just in one of those moods lately but it seems to be getting worse. It's far too easy for anyone who has anything to do with information security to be labeled (by themselves or by others) a "security researcher" without regard to their behavior. "Security Researcher Breaks This" and "Security Researcher Exposes That" say the headlines. Ugh; we really need to clean up our language. This begins with setting a few principles and regularly using more accurate descriptors in our publications and daily conversations.

[The inability to distinguish can be attributed to both the media and security companies using, abusing and re-using terms interchangeably. The age-old "hacker vs cracker" debate for example, when some would use those terms to distinguish morals and motives. Regardless of motives, "security researcher" is an accurate term for the act of testing a product and finding a vulnerability.]

Why does this matter? Well, it's a matter of principle: One is either part of the problem or part of the solution. Problem-makers and Solution-makers should no more have the same label as terrorists and engineers. Sure, they both interact with explosives in their daily business but they put their skills to vastly different uses. Is there a reason we must continue to label people by the elements of their trade rather than the merit of their deeds? We think not.

[Which ties back into the debate, who is the real bad guy here? The company that refused to spend money on proactive security because it had no visible ROI or the guy who finds a gaping hole in the product? When a company sells me a security product as a 'solution' and it contains vulnerabilities itself, are they part of the problem or solution, or both? More and more, it seems companies are falling back on the old argument that things must be black and white, no room for grey, just as this blog does.

Instead of offering "security services" and being a "security company", then we can now accurately and easily label you "profit engineers"? That speaks to the merit of your deeds instead of the element of your trade.]

We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use the following definitions:

[This is a whole lot of spew that can be boiled down to "irresponsible disclosure means Narcissistic Vulnerability Pimp". Interesting to note that none of the other definitions specifically mention "responsible disclosure".]

It's time to draw a line in the sand. If you too are tired of seeing criminals elevated to a podium of legitimacy and bestowed the same job title you possess, join us. We'd be grateful to have the company.

[Does that line in the sand include you firing some of your employees that have participated in narcissistic vulnerability pimping? Or is it ok to overlook that and just support this change of wording from here on out?]

main page ATTRITION feedback