, SecurityFocus 2007-06-01
Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information.
Expand all |
Post comment
Do you think government researchers who develop 0-day exploits for national defense purposes should also have their CISSP credentials removed? If not, what is the distinction between a private individual selling it to the government, and the government finding such exploits on their own?
To those that claim he is whining while farmers in developing nations are starving - this is besides the point entirely.
It appears as if those that critique him (here comes my straw man, be careful) seem to believe that independent researchers have a moral and ethical obligations to be unpaid volunteers for large software vendors.
His point (which seems valid) is that it is difficult to determine what is a fair market value for these sorts of pieces of intellectual output. Think of this as a novel economic problem. While governments will pay good money for exploits, one has to have inside contacts in order to so do.
Regardless ones position on disclosure and paying for bugs, I would hope we can all agree that it would be better for all if government contacts were easier to find than black market purchasers.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/11468/34639#34639