Bugs aren’t free anyway

So, in case you haven’t seen it yet, a couple of researchers are totally against the idea that companies freeload off their research. Pete Lindstrom over at Spire weighed in on it, which is interesting to see since he’s not really a fan of the full disclosure stuff.

Anyway, it seems to me that there are two things going on… First, they have a legitimate point. Many vulnerability researches aren’t compensated monetarily for the work that they do. In fact, bug finding is a PITA. It is. Finding the bug is the easy part. The hard part? Dealing with development teams who don’t want to hear from you in the first place, dealing with people who are irritated by your bug-finding, etc. Not getting paid for it is the icing on the cake.

But is it the case that there isn’t any value in finding bugs? I’m not sure you can say that. How many folks, for example, see David Litchfield as an expert on Oracle because of the bugs he’s found in their software? How much cred did the l0pht get for the stuff they did with breaking the auth in NT? Is there really no value to be had in finding bugs besides monetary remuneration? I’m not sure that’s the case.

Maybe the market’s working as it should. Maybe folks don’t do it to get paid but instead for free advertising… Just my two cents. It’ll be interesting to see how this pans out. But something tells me folks like X-Force are going to still find and publish bugs even without the getting paid angle.