<= Archives =>
The bug market
2014/04/24 21:45:37 CEST

Bob Beck on tech@:

Yes, but the fact is that the last 10 years have changed the community - whereas bugs used to be shared ahead of time among a group of peers (including Free operating system authors) who were trusted to, and generally allowed for a certain amount of time for mitigations to happen before announcement, The fact is that now big dollars are spent by all of the players on bug bounties and other such crap, with sponsors having privileged access to the information (in other words they aren't donors, they are paying for early access.)

So just as a hypothetical example, 10 years ago, if certain organizations knew about an endemic problem, that would have been shared ahead of time with the security community, (we all know who we are) ahead of time and everyone would work to get their mitigations in place in a controlled manner before disclosure so patches were available immediately - and that used to happen pretty darn fast. That doesn't happen any more now that most of this is monetized - they're too busy being told to sit on it by their "sponsors" so full disclosure actually seems to happen a lot later.

So, the short answer is, if you know about a problem and want to monetize it - this is great news for you - there are many places with organizations behind them with deep pockets that will buy your bug. They organizations with the money behind it get early access. Finding bugs in that environment is not about making software better anymore. You probably don't want better software - you want more bugs. more bugs equals more money. You probably want to keep things like the exploit mitigation countermeasures in OpenSSL in the software - You certainly don't want the code base to be easily auditable, and you certainly don't want the tools that find the bugs automatically and just get them fixed to find them.

Who loses? well, the rest of us.

So, if you know of a bug in such an organization (that itself sits on bugs), what would you do? Tell the world for free? Monetize it? or Sit on it?

I don't have an answer for you. All I can do is tell you the state of the world :) In the immortal words of a recently deceased friend of mine, Life is Hard, Wear a Helmet.

Tags security full disclosure