Vulnerability Research According to Smith

Let’s try that again without the typos…

So, there’s been a bunch of hullabo today about how ethical (or unethical) it is to sell vulnerability research information before it’s disclosed. Everybody’s leaping into the fray – overall, though, I think I side with the capitalists: those who would give researchers the right to hawk their wares. I’m for “controlled capitalism” – in other words, we give researchers the right to sell vulnerabilities, but we control how it gets done.

In the past few days, we’ve had commentary from The Register, that seems to come down on both sides of the issue. As it relates to remunerating the researcher, they have this to say:

But should we then expect security researchers to audit commercial software, which is sold for profit, and to do so for free? If there are ethical issues in the sale of vulnerabilities, what’s ethical about selling very insecure software in the first place? While it’s impossible to write software without vulnerabilities, it’s pretty obvious that some companies don’t even try to create secure products – and thus, ethics don’t seem to come into play…

Pete Lindstrom picks this up and gives it his unique spin in a response on his Spire Security Viewpoint. Dancho Danchev gives us empirical observations on the current vulnerability underground markets, while Rainer B