Weekly Weigh-In #3: Software vulnerability auctions vs. ethical disclosures
A week ago, a Swiss company by the name of Wabi Sabi Labi (gotta love the name) launched an Ebay-style marketplace for software vulnerabilities. They allow anyone with a verified security flaw to auction it off on their site. Wow!
While I find this very discomforting because of the potential for exploitation of such defects by unscrupulous ‘buyers’, I believe researchers should be compensated adequately by software manufacturers for “ethical disclosures” that end up improving software quality.
Fact: 99% of all bugs are customer-found.
Software is imperfect because we are imperfect, thus, defects are here to stay. Therefore, anyone that helps to “dev test” a software to the point of identifying a flaw should be compensated (and possibly offered a job) for their hard work.
Although I do not condone the WSL marketplace, I do understand why it came about. It is a logical reaction to the lack of fair recognition that is currently given to members of the public that point out software flaws to manufacturers.
The fair thing to do would be for WSL to offer software OEMs the chance to “buy” vulnerabilities offline before resorting to publicly offerings. On the flip side of this, I guess researchers can now add WSL to their list of leverage points when negotiating software OEMs.
Thoughts?
/Peter
