Re: An Auction Site for Vulnerabilities

[Radoslav Dejanović <radoslav.dejanovic () opsus hr>]

Ivan . wrote:
> I thought this may interest some
>
> http://www.darkreading.com/document.asp?doc_id=128411&WT.svl=news1_1

There has been recent article about people who sell vulnerability data 
in New Scientist as well (16.6.2007., page 30: "Murky trade in bugs 
plays into the hands of hackers").

It seems that idea of having sites where one can sell the vulnerability 
data is catching up on journalists. This is not a good thing, because 
the newspapers are going to give chance for people who sell their stuff 
to give apologetic and maybe sort of heroic excuses ("I spent so much 
time, but nobody cared; now they are going to buy the results of my 
genius!") for their unethical deeds.

At the same time, those journalists probably do not see that there's 
mature "market" that gives this same information for free (and for 
fame), giving companies a chance to fix the problem for free and give 
the fix away for free, thus benefiting everyone (which is just as well 
genius, and much, much more noble).

There, it is easy to jump into conclusions. For example, that it is Ok 
to sell vulnerability data, as it seems that government is ready to cash 
out for some of it (as U.S. government presumably did for Samba 
vulnerability in New Scientist article). And, as the article did not let 
the reader know of an alternative (a place such as this one, where 
people give away their knowledge of vulnerabilities for free), there's 
no reason not to conclude that finding bugs in code is great way to earn 
money. Talk about the message to the little kids.

Add this to a thing such as "e-bay for vulnerabilities", and you get a 
really nice black market being marketed as "just another business"; with 
articles like these, more and more young people will get into bug hunt 
in order to gain money. Some of them will fall victim to the same guys 
who run Internet scams and fuel spam pestilence; some might end up 
selling data to criminals to break in or blackmail some company (and 
might end up in jail themselves).

Why, yes, of course - there always were, and there are always going to 
be people ready to buy a vulnerability and people eager to sell it for a 
nice sum; what bothers me here is that the journalism is looking at them 
without a critical eye, like some sort of Evil Geinus meets Robin Hood - 
therefore giving the public wrong messages and making people who 
disclose their data for free look rather silly.

I think the journalists should dig in to ethics first, and understand 
that topic well - before they go to lengths writing about selling Samba 
vulnerabilities to some friendly and totally-not-total-control-eager 
government (who's going to retain it for nine months before the hole is 
discovered and plugged by someone else - read NS article!).