Hal,
Interesting article, but I'm having difficulty believing that vendors, be they of free or commercial software, charging money for security fixes could be anything but bad news for an Internet that already enjoys Free Patches For All, yet is still ripe with security disasters.

It certainly makes sense from a business perspective: ABC Vendor's software doesn't come with any guarantees or warranty, so they're not legally obligated to fix their software. They devote resources towards fixing security holes and other bugs, and certainly don't make money giving away their work.

Apple's situation isn't a new one. The ISC raised a similar outburst a year or two ago when they wanted to start charging BIND users for timely security fixes. Not only did this delay deployment of fixes for those not fortunate enough or unwilling to pay, it gives a cracker who is willing to pay (or simply break into the system of a paying 'patch subscriber') a nice headstart on the rest of the world- he's now got plenty of detailed information on the vulnerability before most everyone else does.

BIND is a good example- how about a certain prolific operating system rife with security holes that begins with an 'M' and ends with an 'icrosoftWindows'? If Joe User doesn't patch his system because he's lazy and doesn't care, why in the world would he patch it when he's got a third reason not to (that directly affects his own pocketbook)?

If charging for patches becomes common practice, the already horrendous state of information security will be degraded even further. If software vendors find they are spending too much time/money on removing bugs from their software- tough luck. Perhaps that will convince them that it's high time to start building software securely and reliably from the outset.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/200/23895#23895