Select Page

“Narcissistic Vulnerability Pimps”

Is it just my perception or are there a diminishing number of good rants on the Internet?

“Admin” on the Verizon Security Blog posted a really great one last week that deserves comment.

“Admin” is David Kennedy who has been with the research group(s) of NCSA/ICSA/Verizon Business for about 15 years. I worked for him. He took the literary form of the rant to levels that have only rarely been reached in the history of human thought. His rants were so awe inspiring that we began documenting them in a “Best of Kennedy” document.

But I digress.

Last week he posted a blog piece “Redefining ‘Security Researcher’”. In it he decries “researchers” who ignore the traditions of responsible disclosure and reveal vulnerabilities in applications or operating systems for the questionable glory of it.

He writes:

“Ugh; we really need to clean up our language. This begins with setting a few principles and regularly using more accurate descriptors in our publications and daily conversations.”

. . .

“We at Verizon Risk Intelligence do hereby adopt and resolve to faithfully use the following definitions:

“Security Researcher: One who studies how to secure things and/or how things are not secure in order to find a solution.

“Security Practitioner: One who applies the findings of the Security Researcher in order to make things more secure.

“Narcissistic Vulnerability Pimp: One who – solely for the purpose of self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure (or increases risk).

“Criminal: One who actively subverts security without authorization or deliberately creates ways for others to do so.

“It’s time to draw a line in the sand. If you too are tired of seeing criminals elevated to a podium of legitimacy and bestowed the same job title you possess, join us. We’d be grateful to have the company.”

Tom Kelchner