The Market-Driven (Vulnerability) Economy, Part Deux
Jose’s post on buying and selling vulnerabilities got me to really start thinking again about whether vendors should pay independent security researchers for the information they discover, and, if they choose not to, have a say in applying stipulations to that research, such as rules of disclosure or anything else. Personally, I don’t believe that I should have to hand over any of my research or agree to any stipulations they have, and it’s an insult for the vendor to ask anyone to do so. That vulnerability is the product of a lot of hard work and time which went into it’s discovery and development, and it has a lot of value. If not to the vendor, than most certainly to somebody else, no? That value is dependent on many different factors. For instance: how many product versions does the vulnerability affect? Is it local or remote? Is somebody else already offering money? How much would it be worth to a company that develops vulnerability scanners to have zero-day vulnerabilities? What about their competitors? How about to the government or international entities? These don’t come even close to covering all of the potential scenarios.
You could say that vulnerability research amounts to quality assurance in some ways, and I’d agree with you. In other ways, it’s also intellectual property. Let’s try an analogy. There are many organizations who may need to do their own research on a particular product….say Microsoft Windows. Maybe the organization is trying to gain a competitive advantage over one of their other competitors. Whatever the case may be, a lot of hard work goes into that research for the organization’s benefit. When the organization has finished its research, does Microsoft have an expectation that the company will just hand it over to them for free, just because it involves one of their own products? Obviously not.
I’m constantly amazed by how simple these answers are and yet some vendors simply don’t get it. The world is changing, and I think it’s time that certain vendors wake up and take a look around at the new world they live in.