Bugs and Money
Jennifer Granick has a good article up on Wired titled “Bug Bounties Exterminate Holes,” which talks about some of the issues raised in a panel discussion at CanSec last week. She makes some good points about commercialization of vulnerability research–pros and cons, risks and rewards, etc.
It’s well worth reading the whole article, but one small bit caught my eye…
I have advised two businesses that had plans to auction vulnerabilities to the highest bidder on eBay. (After talking with me, each decided not to take the risk.)
This is pretty disappointing. I would love an environment where software vendors are forced to pony-up cash to researchers if they want bug details, and are forced into a competitive market against “value-add” services (iDefense, ZDI, etc.), and even criminals. Some may see this as a form of blackmail, but I think it will shed some much-needed light on how vendors feel about security, and how much money they are really willing to spend to keep their customers safe. Already we see a non-profit organization (Mozilla) willing to pay $500 for the information, and multi-billion dollar companies unwilling to pay anything.
I realize there are many legal and ethical problems with auctioning vulnerabilities that need to be wrestled with (including problems with eBay), but would it really be worse than it is right now?