Companies that are still untested in the security process tend not to understand how to react. They usually react with fear, rage, and a lot of attorneys. Last year, the Massachusetts Bay Transportation Authority filed criminal charges against three students from MIT University alleging the trio had violated Computer Fraud and Abuse Act in "accessing protected MBTA computers without authorization." Seasoned companies aren't always different but most have figured out what is and isn't acceptable.

This issue gets way more complicated with Web services. The criminal market has found ways to easily monetize iframe insertions.  I had a conversation with a security researcher last year who noticed a flaw in the way his bank was determining which account to display. Instead of notifying the bank, he simply closed his account and moved on. This may sound irresponsible of the researcher, but who can blame him? It is just as likely the bank would press charges as ignore him completely.

Without a 'covenant not to sue' in place, the next generation of researcher will have literally no where to go. Not even operations like the Zero-Day Initiative will accept backdoors into live web hosting services. Yet these vulnerabilities are worth a lot of money to the right operation seeking to push iframe code laden with drive-by downloads. When a researcher comes upon a vital discovery, she shouldn't have to ask what to do. There should be no question as to the protocol for handling a newly-discovered vulnerability.

Companies need to take a long hard look in the mirror and decide whether or not they want to continue playing this game. If we don't restore balance, things will take a turn for the worse. Fame and glory are barely holding on as a method of payment for the services of security researchers. When balanced against the unchecked threat of litigious software vendors, the incentives for researchers simply aren't there.

Even though there are legitimate ways to earn money through the sale of vulnerabilities, the market still cannot fund a researcher of reasonable skill. Selling a vulnerability to the black market has become safer and more lucrative then doing "the right thing."  In the worst case, researchers with the skills to find these flaws will simply walk away leaving everyone more vulnerable. Over the last decade these researchers have been providing expert quality assurance for corporations, and it is about time they were given incentives and protection, not injunctions and summons to appear.