| Add together these three statements the author made: (1) The vulnerability report exists in the "shadowy ground between the reports that are clearly crackpot and the reports which are clear enough that you can evaluate them with confidence" (from the blog) (2) "Oh, we recognized it immediately. But it was so obviously wrong that we began to fear that we were missing something." (from the comments) (3) "this entire investigation took five days to complete, plus another day or two to complete the necessary paperwork." (from the blog) This blog post paints a picture that Raymond's organization does a bad job triaging reports and prioritizing investigations. It's a waste of five days to analyze an "obviously wrong" vuln report, just on the off chance that there is something deeper. How about spending five minutes emailing the author of the vuln report, explaining why it doesn't appear to be a vulnerability, then asking if there is anything deeper? It's also crazy to spend a day or two filling out TPS reports on a crank vulnerability alert. If an organization takes security seriously then it should spend increasing amounts of time on increasingly plausible vulnerability reports. |