swhx7
Premium
join:2006-07-23
Elbonia
 ·RoadRunner Cable
| Disclosure ethics: $10K+ for new Real Player vulnerability
From Slashdot: quote:
A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.
I'd be interested in what posters here think of the ethics of such behavior.
1. Is it OK to require payment for revealing such information to the vendor?
2. Is it OK to sell such information to 3rd parties?
3. Is this different in principle from requiring a payment for nondisclosure to the public?
4. Is requiring a payment for nondisclosure to the public OK?
5. Should there be any liability if a 3rd party buyer uses the information maliciously?
6. What if software vendors started putting clauses in their licences requiring that any user who discovers a security bug report it to the vendor exclusively - would that violate freedom of speech principles? (Would it be any different in principle from forbidding users from revealing test results, or any other truthful information about the product?)
7. If selling of software exploits is potentially a problem, how could the software market be structured so that this kind of business would not work? |
|
Millenniumle
join:2007-11-11
Fredonia, NY
| 1. As long as they are asking an equal price from any buyer I think it's fine.
2. I think it has to be.
3. If they are offering it for sale to anyone then they are not "requiring payment for non-public disclosure." They are simply offering it for sale.
4. I think it would then be blackmail.
5. If there is liability to be found then it lies with the developer.
6. If enforced, it would ensure vulnerabilities remain unexposed to all except those with malicious intent.
7. Selling them is a cure, not a problem. It forces large developers to develope well. I can't think of a more beautiful thing than multiple entities keeping software developers dotting their I's and crossing their T's: Developers who hold in their hands the security of business and people.
======================================
Laws that would prohibit exposing and selling exploits are more disturbing than companies having to pay for exploits they should not only be aware of, but avoiding. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio | reply to swhx7
The whole thing reeks of extortion. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to swhx7
I positively hate this business model, and a number of US-based organizations do what amounts to the same thing. I think they're awful, but I have not been able to find a way to prohibit this without having far worse effects on freedom. If I do the very substantial work required to figure something like this out, why should I be expected to give it away for free? said by swhx7  :7. If selling of software exploits is potentially a problem, how could the software market be structured so that this kind of business would not work? Easy: write better software
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
| said by Steve :If I do the very substantial work required to figure something like this out, why should I be expected to give it away for free? I think it all depends on motive.
I suppose that professional extortionists often will do a lot of work up-front, on spec, so that they can demand a high price later.
And thus the problem with this business model is that it looks like its primary objective is the extortion part.
(I agree that it's a very difficult thing to legislate). |
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to Steve
said by Steve :said by swhx7 :7. If selling of software exploits is potentially a problem, how could the software market be structured so that this kind of business would not work? Easy: write better software
This is actually a backwards way of saying that the "selling exploits" business model is beneficial because it motivates vendors to minimize security bugs.
By the same reasoning, the current model of researchers finding the vulnerabilities on a non-commercial basis - whether they report them to the vendor first, or publish first or whatever - amounts to a subsidy to sloppy-coding vendors. They do have to fix the problems when they're found, but can get away with less thorough testing prior to release.
I don't like the "smacks of extortion" model either. What about liability if the seller has reason to think the buyer will use the information for exploits instead of protecting customers?
Also, what about a law saying that contractual prohibitions against disclosure to additional parties are illegal or unenforceable? Then discoverer sells to A on condition that A will not reveal to anyone else, but A can do so freely - this would undermine the market because the first buyer could liberate the information. |
|
Millenniumle
join:2007-11-11
Fredonia, NY
1 edit | "What about liability if the seller has reason to think the buyer will use the information for exploits instead of protecting customers?"
Functionally equivalent to public exposure.
"[...]this would undermine the market because the first buyer could liberate the information."
The vender doesn't want to spread the exploit. Anyone else who paid for it might be relunctant to just turn over for free when they paid good money. Such legislation may be mute because we have to imagine an entity purchasing and publicly exposing. |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
 ·Sprint Mobile Broa..
| reply to swhx7
As Millenniumle stated very clearly, there is nothing illegal about it, nor is it likely to make the situation worse than it is. However, it is a business model that relies on the fact that people exist that will behave illegally, and do make the situation worse. They are profiting from others fearing that they will be victims. Hence many people find their actions distasteful. Others, especially those that can afford the service, will view it as a valuable addition to their security.
It is very similar to private security services (home/business protection). If your neighbors all have a private security service, and you do not, you have become more likely to be robbed. But I doubt that anyone would push for making them illegal. I think the primary difference is that we are more accustomed to the private security services.
Take solace in the fact that anyone paying a lot of money for access to information about a single vulnerability is probably being bilked. There are undoubtedly many, knowing about one, or even several, will not protect anyone from a skilled attacker. |
|
