On Thursday 01 December 2011, Daniel-Constantin Mierla wrote:
IMHO also certain denial of service attacks belongs to the "security bug" class. If somebody can easily bring my service down because of e.g. a crash during the processing of misformated (network) input then the availability of the service can be easily compromised.
Then flooding to fill the pipe will cause same kind of issue to availability of the service - a bug of the infrastructure.
As expressed in another email just sent, imo there are two categories here: stability and security
Hi Daniel,
well, there is a difference between a "simple" DDOS attack, which of course can bring every service down given a big enough attackers bandwith, and a crash on single invalid (SIP, SSL setup etc..) message which is IMHO clearly a vulnerarbility.
The "classical" information security definition is CIA - confidentiality, integrity and availability. A break in due a software bug would be a breach of integrity, the discussed crash would affect the availability and e.g. a wrong usage of TLS that causes missing encryption in messages would be breach of the confidentially.
http://en.wikipedia.org/wiki/Information_security
But you're right, i guess the right person to make this descision is the one that will work on this stuff in the end..
Best regards,
Henning