March 08, 2006
Vulnerability Research According to Smith
Let's try that again without the typos... :-)
So, there's been a bunch of hullabo today about how ethical (or unethical) it is to sell vulnerability research information before it's disclosed. Everybody's leaping into the fray - overall, though, I think I side with the capitalists: those who would give researchers the right to hawk their wares. I'm for "controlled capitalism" - in other words, we give researchers the right to sell vulnerabilities, but we control how it gets done.
In the past few days, we've had commentary from The Register, that seems to come down on both sides of the issue. As it relates to remunerating the researcher, they have this to say:
But should we then expect security researchers to audit commercial software, which is sold for profit, and to do so for free? If there are ethical issues in the sale of vulnerabilities, what's ethical about selling very insecure software in the first place? While it's impossible to write software without vulnerabilities, it's pretty obvious that some companies don't even try to create secure products - and thus, ethics don't seem to come into play...
Pete Lindstrom picks this up and gives it his unique spin in a response on his Spire Security Viewpoint. Dancho Danchev gives us empirical observations on the current vulnerability underground markets, while
No matter what side of the issue you're on, you can't escape the fact that there is money to be made in 0day vulnerabilities; if there weren't, programs like the 0day initiative would be long gone by now. People say, responding to the success of these programs, that it is unethical to sell 0days because criminals might buy them and use them for destructive purposes. I partially agree with this, although I think we're putting the blame on the wrong people. By analogy, the production and sale of firearms is, without question, a thriving business. Again, there's no question that firearms are dangerous in the wrong hands. In fact, it's hard to make a legitimate case that there is a source of any more potentially dangerous artifact than those legally produced and sold by the gun industry. Note that I'm not saying anything for or against gun control, by the way - all I'm saying is that guns can be dangerous in the wrong hands, and that there's a market for them.
However, very few people would say that gun makers are legally, morally, or ethically responsible for their products. In other words, most would agree that if a terrorist guns down a bus full of children, that Smith and Wesson is not culpable. There are those who would argue otherwise to this, but our society has historically held that they one performing the actual criminal act is culpable, whereas those who make the weapon are not. It's probably simplest that way, since if the weapon-makers were culpable, it could lead to debates about the degree to which Louisville Slugger is culpable for battery, how much Ford is culpable for vehicular homicide, or how much Sony is culpable for Ashlee Simpson.
That's not to say you can sell a gun wherever you please and to whomever you please - there are laws about how guns can be sold, where they can be sold, and to whom they can be sold. Again, some would say that there's a difference between guns and vulnerabilities because sales of guns are currently rigorously controlled; but that's a different issue - just because we don't have controls today doesn't mean that we can't ever have them. Let's establish some controls for vulnerability sales so that the 0days cease to be as dangerous. Ther are others that would say that selling guns is also unethical; maybe that's true in a higher sense, but not according to our legal system.
To those people who argue that selling 0days is always unethical, I would ask the question: why would it be ethical to sell a gun (which can be used by untrustworthy parties to take a human life) but not ethical to sell a vulnerabilty? After all, a vulnerability is just an idea.
Posted by Ed at March 8, 2006 02:43 PM