Having spent some time doing vulnerabilty research, I am a bit concerned about the percieved ownership of vulnerability data and the one-sided view being presented in the press. Why is this view one-sided? Specifically, this article likens vulnerabilty research to "police informants", which is not a useful analogy for what is going on. The other reality, the one that I take issue with, does not appear in this article which I think leads to the oversimplification.
The analyst that they quote first is Jonathan Eunice at Illuminata - an individual that I respect highly (and not just because we live in the same town.) Let me not disagree with Jonathan - let me instead say that I think the issue is more complex than it may appear on the surface and I think that you'll see what I mean when this is put in context, . If the reality was such that vulnerability researchers were paid for their efforts and rewarded accordingly, I'm all for that. The problem is this isn't what goes on in reality. Let me tell you a story to illustrate what *does* happen.
A few years back, myself and a colleague discovered a flaw in a part of the Apache web server; at the time we didn't have the time to write it up, but it was a buffer overflow that could allow execution of arbitrary code against a webserver with SSL turned on. There were some constraints, of course, but it could happen. It was only a theory, at that point... We speculated that there was an overflow there, but we weren't sure if it was exploitable. We knew that the only way to be sure was to take the days/weeks of effort to study it, write it up, coordinate appropriate disclosure, etc. That's hard work, by the way. I put the effort in, wrote it up, and disclosed it. For free. As a service to the community because I thought it was the right thing to do to 'give back' to the community that gave me so much.
So what's my point? Would it have been appropriate for Symantec (the moderators of bugtraq) to sell my "pro bono" research to subscribers of their service? After all, since they're moderating the public list that it's disclosed on, they have a day or so "lead time" with which to sell the data ahead of when everyone else gets it - that lead time is something customers are willing to pay top dollar for. How about if the vendor released the patch early to folks who pay them an "advance notice" fee? Is that fair? Personally, I don't think so. I did the research so that everyone could feel safer and rest easier (emphasis on the "everyone") - I did *NOT* do the research so that someone could sell that data to the highest bidder without remunerating me. Nobody did, by the way (remunerate me, that is.) I'm not complaining, mind you. I did it because I thought it was the "right thing" and because I thought it would be fun. But it does make me angry when the "necessary middlemen" in a disclosure scenario attempt to make a quick buck on the research of others. It's just bad form.
Posted by Ed at March 21, 2005 09:31 AM