Today I found this essay on Slashdot:
Bill Gates Should Buy Your Buffer Overruns
I found this essay rather short sighted, the author is obviously biased toward being paid for vulnerabilities. This may sound like a grand capitalism meets software idea to some, but I have no doubt it's a bad idea. I know most other who actually do the work of keeping users secure agree with me. I'm obviously biased as well, so I feel compelled to comment on this concept.
A program that pays researchers for flaws is easily a huge liability for both the researcher and the company purchasing the flaw. There are a number of possible scenarios that can emerge causing potential problems for all involved parties. If the research leaks, should the researcher get paid? What if someone else leaks the informatoin? If a researcher is willing to be paid for the exploit, why not just pay them to keep quiet? It's no doubt a tempting idea. What happens if it's stolen research? It's no secret that many security people talk to each other, and help each other out from time to time. What if a researcher wants to be paid via a brown paper bag dropped in a garbage can?
A large multinational corporate has a lot to lose. I have no doubt any good legal department would be kept up late into the night over such a program as this.
The issue of extortion is also of grave concern here. What would stop a researcher from asking for 10 times what a company is willing to pay? What happens when you're backed into a corner of paying for a flaw, or knowing they researcher will sell it on the black market. Is that neglegence?
Perhaps we should think of this in a different way. I'm going to make up a story.
So Bob discovers a security flaw in Bigco's new Wizbang Interweb Widgetifyer version 17,000. Bigco usually pays researchers $1000 for finding security flaws that could be leveraged to spread a worm. Bob decides that his flaw is easily worth $10,000, and tells Bigco that. Bigco tells Bob to bugger off, they won't pay his extortion fee. Bob decides he's just going to release the exploit on a public mailing list and hope someone writes a worm. Bigco deserves this since they won't take him seriously. So the exploit is released, a worm is written and starts spreading across the world. Luckily since only 99% of the computers on the Interweb run Wizbang Internet Widgetifyer version 17,000, the Interweb manages to stay up. At this point Bigco starts telling everyone to feel bad for it becuase Bob tried to extort money from them, then he wrote a worm to teach them a lesson. He's obviously a terrible horrible person who probably has three heads and eats raw meat. People start telling Bob what a horrible person he is, and they threaten to kick his puppy.
The moral of this story is basically two fold here. A computer monoculture is an issue. If most of the computers run the same program, it creates a more lucrative market for certain exploits. The second moral is that if you are willing to give someone one, they think they deserve two.
I'm very skeptical that a researcher could earn a living selling flaws for a few thousand dollars a pop. It takes way to long and is far too much work to actually develop a working, non lame, exploit. I suspect it makes more sense for a researcher to gain as much attention as possible by being credited in public. This would in turn lead to a full time gig somewhere doing something security related.
