There is a great article over at Wired.com about vulnerability brokers. The issue is a very complex one.
On one hand, I like to see my friends get paid for finding software bugs in software. Why shouldn't they? They spend large amounts of time looking for and finding security issues, which they then report to the vendor.
They aren't making an exploit and creating a new huge botnet - they are helping the vendor. Hopefully helping the vendor become more secure and therefore sell more products. But what do my friends get? Money? Rarely. Sometimes they don't even get a pat on the back. Some vendors claim the bug isn't a problem and that the researcher doesn't know what they are doing....only later to fix the issue in a "feature update". ;)
But Jennifer paints a very real picture in her article. If the third-party broker market keeps growing, issue of information control will come to light. Vendors pay for the "information" and they use it to make their products better - new IDS/IPS Sigs, early forecasting, etc. That sounds like normal business to me....but it isn't without a negative side - as Jennifer points out.
It is a slick slop and I hope the security community overall can find a balance. Perhaps the original product vendors should start to pay for vulnerability information, like Mozilla. I don't know.
Let me know what you think...I want input on this issue.
Are we heading down a bad road??
By not paying for vulnerabilities, are companies not stepping up to the plate to protect their customers?? They pay programmers to write the code and they have their own security people? They pay them all day right? Why not pay a non-employee that helps you better your product?
No comments:
Post a Comment