Exploit Sales: the New Disclosure Debate 31
msm1267 writes "There are a lot of echoes of the disclosure debate in the current discussions about vulnerability exploit sales. The commercial exploit market has developed relatively quickly, at least the public portion of it. Researchers have been selling vulnerabilities to a variety of buyers – government agencies, contractors, other researchers and third-party brokers – for years. But it was done mostly under cover of darkness. Now, although the transactions themselves are still private, the fact that they're happening, and who's buying (and in some cases, selling) is out in the open. As with the disclosure debate, there are intelligent people lining up on both sides of the aisle and the discussion is generating an unprecedented level of malice."
Re:exploit sale = nondisclosure (Score:5, Interesting)
Being paid for finding a vulnerability and keeping it secret sure beats getting sued for disclosing it responsibly.
Re:exploit sale = nondisclosure (Score:3, Interesting)
So long as people *CAN* patch / disable / protect the vulnerable software.
With the rise of things like locked / encrypted bootloaders, appstores, and lack of updates without a new hardware purchace, I'd say that idea will soon be (if not already) restricted to a very small class of citizens.
(I.e only those who would care about such things. The majority will just roll over and take it, as usual.)
That and if the summary is to be beleved, I would also imagine that the governments of the world will want to outlaw patching "their" exploits.
As far as the disclosure goes you're right it's not ethical from a public safety standpoint, but if you are selling exploits in the first place you most likely don't have that as a goal. Especially if you want some real money for it.
modern day defense contractor (Score:4, Interesting)
There is nothing different between this and the practice of huge companies selling death machines to the militaries of the world, and the occasional non state para military planing a takeover or something - tanks, bomber jets, missiles and so on - how is this any different? the security researchers work to create a product - i.e. a vulnerability, then sell that information, the product of their effort - to a willing customer.
Its a nasty business, you can question the morals and ethics of it, but it really is no different than companies that sell guns and bombs to whatever crackpot thug has a truck full of cash or gold bars...