The Debate When it Comes to Monetizing Security Flaws

Wednesday, June 20, 2012

Lee Munson


For a couple of years now there has been a debate going on in the computer security community.

Well there have been more than one debate going on and a lot of them have been going on for more than a few years. But right now there is a serious debate going on that has people on polar opposite sides of the issue.

They are so much on the opposing side of the issue that some of the people are starting to spew vitriolic rhetoric at the other side in an attempt to try and make their point. It is not the right way to go but some people are taking that route anyway.

The debate that has been raging in the computer security community is whether people should be paid when it comes to announcing 0 day exploits. For the people out in the audience who do not know, a zero day is an exploit that is found by someone and is not known to the general computer security community.

The person who finds it has several options in which they can choose from. They can sell it to the highest bidder no matter if they are a good guy or a bad guy. They can choose to sell it only to the good guys. They can announce it to the public for free and not be compensated in anyway but hope that the recognition will give them a good standing within the computer security community.

Or they can sit on it and report it to the vendor whose software has been compromised and hope that the vendor is willing to pay them for the information.

Some people think that if you try to profit on your discovery, then no matter what your intentions are, the discovery could be used for non ethical goals. They think that it does not matter if it is a good guy or a bad guy who gets the information. They think that both parties have the potential for abuse.

They point as an example of the United States government using specially made malware to hack into the systems of Iran’s nuclear facilities as an example. While that can be argued that was not abuse, some people argue that it is and that is what monetizing zero day’s amount to in the long run.

People on the other side of the issues have a compelling argument as well. They feel that the work to find zero days is very hard and there has to be some way that the person who finds them is compensated. Not all companies will give you money when you find a security hole in their product.

So in cases like that, how does the security researcher who spent a lot of time and maybe even money finding the problem get paid? If there are not more ways for that person to get paid then they are more easily tempted to go to the dark side and earn money that way.

No one wants to work for free, even if it is at doing something that they love to do.

While the solution that we have now is not perfect, it does find a way for the security researcher to be paid in the long run. Everyone likes to be compensated for bringing value into the world and the work that these researchers do is valuable.

If they didn’t do it then the bad guys would and they would get to the zero days first. And the structure of the internet and computing itself would be a lot different if the bad guys got all of the information first!

Possibly Related Articles:
Information Security
Zero Day Disclosure Research Vulnerabilities Exploits Information Security Infosec Bounty vendors
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.