Month of Search Engines Bugs: project description

17:55 31.05.2007
Аnd you will know the truth, and the truth will make you free.
(John 8:32)

This words from Bible are very actual in our time. Particularly in context of security of search engines. Community don’t know about real risks that search engines bring to it. And engines vendors like to convince everyone of their work at security (but it is far from reality). So the time has come to look into eyes of truth, which I’ll be trying to bring to you.

Main purpose of the project: to demonstrate the real state of security in search engines. There are vulnerabilities in the engines (that mean that their developers insufficiently attend to security) and the community need to know about that. When he will be knowing truth, every user of Internet will can make thoughtful choice concerning search engines.

Participants of the project: most popular search engines of the world, including Google, Yahoo, MSN. As global search engines, and as local engines, which developers of popular engines offer to site’s owners for placing at their sites.

There are hundreds (and thousands) different search engines in the world, big and small ones. It was not easy to chose the most popular from them. I spent a lot of time for this choice. I notice, that for current time there is no information about popularity of engines in world scope. There is information about popularity engines in some countries (moreover I mainly know this data), but there are no information about whole world. For this reason selection of participants are relatively subjective. But each of them are taking leading stand in its own category.

If somebody will not find his favorite engine during the month, then you don’t worry - there are holes in this engine also :-) . There are vulnerabilities in all engines. In my own practice of social security audit I found a lot of holes in search engines, I wrote about that at my site, and about some other holes I’ll write during the Month of Bugs. There are also many others engines, where I found holes, which didn’t get to final list of participants. There are a lot of engines in the world, one month is not enough to write about all. It is not hard for me to make additional new month of bugs in search engines, even full year of bugs. But the month will be enough to attract attention of Internet community on this problem. And about other engines, which didn’t get to list of participants, I’ll write later, during my own everyday work.

Rules of the project: participation of search engines in the project are voluntary. So I voluntarily chose participants for the project ;-) . Each day I will publish holes in single engines. It can be one or more vulnerabilities. It will be so during 29 days, and on 30th day I planned a surprise (it will be complex day of bugs). And at 1st of July I’ll sum up the project.

Information disclosure for developers of search engines will be specific. It will be different from my general practice, when I found hole, make an announcement (without details), than I inform site’s owner, and then after some time (presently it is 3 months) I write details. This is very long process, so for this project I chose other form of informing. All details will be published at site without prior informing to engines’ owners (so they need to watch the news). It will be approaching to real life - where bad guys found holes and use it, without informing anyone, so engines vendors must be ready for that (and not to dawdle). Welcome to real world. Engines’ owners must understand, that nobody got a job to inform them about anything, they need to attend to security on their own. In case when somebody else attend to their security (and inform them), then they need to appreciate (some engines vendors forgot about that). If I announced this project, then engines’ owners need to think about security of their systems. And taking into account than my primary goal is security, then I’ll send official notification to all participants (about the participation in my project). And developers of engines just need to watch the news at site and to fix the vulnerabilities.

Also I have a proposition: lets choose the best bug of Month of bugs. I propose two nominations: Best bug of MOSEB MustLive Choice and Best bug of MOSEB Visitors Choice. In the first nomination I already chose winner, so now the visitors need to chose winner in the second nomination. During holding the project, if you will like some bug to much, than you write a response in the comments (”Cool”, “Nice”, etc.). And in the end of month I’ll compute the voices. The results will be announced in the project’s totals.

Results of the project: improvement of security of search engines and Internet as a whole.


Leave a Reply

You must be logged in to post a comment.