No doubt that the open sale of undisclosed vulnerability information presents new ethical questions. On the one hand, bona fide vulnerability researchers should be rewarded in some manner (at least in getting credit). On the other, disclosure of such sensitive information to anyone other then the parties who can address the problem (i.e., vendor/author) presents immeasurable risks to user/customers of those systems, and is clearly wrong.

A secondary set of issues occur in any open sale of such information, e.g., how does the seller confirm that the buyer is who they claim to be and actually meets the buyer's restrictions? How does the buyer confirm the seriousness and accuracy of claims? What if the vulnerability only occurred in certain, specific, obscure configurations, which would certainly diminish its value to anybody?

Security Product Vendors have a history of offering bounties for finding flaws within their products (typically as a marketing ploy) going back 20+ years (e.g., I recall one small security company who offered the CEO's used Ferrari if anybody could break their security system). Another vendor offered tee-shirts for security related bugs. For example RSA's crypto breaking contests are a close cousin to this issue. I haven't heard any complaints about their contests and security researchers participate actively.

Disclosure: I used to work for several product vendors and have dealt directly with independent security researchers regarding undisclosed vulnerabilities of my employer's products.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11364/32899#32899