|
> the security people can usually get it right Having worked for an AV vendor, I assure you that is not the case. Just check Project Zero[1], most of them do parsing of complex binary formats in kernel mode, 'nuff said. This is just one example, but all major vendors have had issues: [1]https://googleprojectzero.blogspot.ro/2016/06/how-to-comprom... ----------------- OTOH, there are a few individuals who show a great deal of care about software correctness. Daniel Bernstein comes to mind, but many other people are offering big bounties for their personal projects, and have a track record of delivering correct software. But even in cases such as these, there are probably some hidden bugs in there, because of the inherent complexity. Nobody has the time to verify the fine interactions between the compiler, OS, libraries etc. At the end of the day, if you want higher quality software, you have to incentivize it, as others have mentioned. |