News Stay informed about the latest enterprise technology news and product updates.

The man behind the Month of Search Engine Bugs speaks

Ukrainian security researcher Eugene Dokukin, more widely known by his online name MustLive, is about to launch a new "Month-of" flaw disclosure project focusing on search engine bugs, at a time when many security professionals are dismissing such projects as shameless publicity. In an interview conducted by email, he describes his background and motive for the Month of Search Engine Bugs, and why he thinks the naysayers are mistaken.

Describe your background, as far as who you work for, what your specialty is and how you got the idea to focus on search engine flaws.
I'm a security consultant and researcher from the Ukraine. I'm creator and administrator of Websecurity, the first Ukrainian resource about Internet security. That's my specialty. I've worked in the Web application security field for more than two years, after releasing the first version of my MustLive Security Pack. I've worked in the IT field for 13 years. Why have a Month of Search Engine Bugs?
The main task of Month of Search Engines Bugs is to demonstrate the real state of security in search engines. Search engines are the most popular sites on the Internet, and millions of people visit them every day, so these sites need to be secure. But they are not. The project's task is to let the Web community as a whole and users of search engines understand all the risks, and to draw the attention of search engine owners to the security issues of their sites. My project will help improve search engine security and the security of the Internet as a whole.
'Month of' projects:
Why hacking contests, 'month-of' projects don't help: Ivan Arce, chief technology officer of Core Security Technologies in Boston, gives his take about the 'month of' projects.

'Month-of' flaw projects come under fire: The Month of Apple Bugs has some wondering if the real motive for such disclosure projects is better security or better press coverage.
Some security experts have dismissed the recent flood of "month-of" projects as more of a PR stunt than something to improve security. What do you say to that?
I don't agree. These guys need to understand that talking -- what they are doing -- and working --what I am doing -- are different things. It's harder to work at something than just speak and say it is not so good. [Security] is not about words, but deeds. Are you going to expose one flaw a day or multiple flaws a day?
I'm going to make a minimum of one post with one or multiple holes a day for one search engine. But there will be bonus posts with additional bugs for some search engines. Are you releasing details of these flaws after notifying the search engine providers, or will they be learning about them for the first time?
I am going to inform the search engine vendors as I usually do. Every participant of the project will be informed -- up to 30 engines. [But] search engine workers need to be attentively watching my site. Details about the rules of my project will be published at the end of this month. How responsive have companies like Google and Yahoo been when you've notified them of the flaws?
In my work, I regularly find holes in search engines and I inform every search engine vendor about what I find. But in my practice not every vendor fixes the holes in their engine. And not every vendor thanks me for my work because they are too busy counting the money their users bring to them. There are too many holes in search engines in the world. Vendors forgot about the security of their visitors, so I need to remind them. It will be total recall.

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.