The dark side of Vulnerability Research and Sale

[edit: Altered the title & reworded "Exploit Research" to "Vulnerability Research" to align with common use of the words]

Imagine this:

1. You have two neighbors, both are highly skilled in surveillance & breaking in. 
2. Both of them thoroughly scan of your home (from far, of course) voluntarily. 
3. They finds a few flaws that you wouldn't know -- but would allow a thief to bankrupt you. 
4. One of them wants to sell this information and make money that befits his expertise. To you, to your builder, or to the government. (interesting question: what happens when none of the three agree to buy?)
5. The other never mentioned any of this to you, but directly put up the "exploit" for sale to the highest bidder in an "open market" meant for highly specialized buyers (of the type that you aren't).

Is there anything wrong with this scenario? You bet there is.

This is what is building up in the InfoSec world under the garb of Vulnerability Research. I am sure we all understand the logic of "we need to make a living", "we have a right to market our skills" and even "we have a right to get rich".

That "We tried until 2010 to convince vendors to decently pay researchers without success" almost sounds noble.

But to say "L is for Liberties, and exploit sale is a liberty" as VUPEN (@VUPEN) CEO Chaouki Bekrar (@cbekrar) shamelessly tweeted is a bit too much for me.

Where is this going?

Vulnerability Research (as in the scenario above) is turning into a thriving market. Though some players are spouting KYC and self-regulation to support their activities,

"... ask your favorite vendor to pay researchers $100K per 0D ..." and
"... I confirm we don't sell to repressive regimes ..."

it rings hollow.

Of course, other players are simply discrete about what they do -- and don't promise any such restraint. That is surely no less of an issue.

Statements like

"... You are not a judge, and we are not in a court ..." and
"... we really don't care nor give a shit about your thoughts on exploit sales ..." 

just about sum up the attitude and any shatter any pretense of ethics. It appears that "there is no law against it, so we'll do what we please as long as we can get away with it" is lurking right underneath this "business model". At this rate, sooner than later, we could see specialized "Vulnerability Research" markets come up in the fields of ATMs, Credit Card terminals, and more. They would of course, begin by selling the exploits "at a decent price", "only to non-repressive governments" and with "thorough Know-Your-Customer norms".

We are witnessing the birth a thriving market of Vulnerability Research where anyone more skilled than you are is free to poke around and blackmail you.

As the market expands, people have more incentives to turn into Vulnerability Researchers (not to be befuddled by the more innocuous term "Security Research") -- and there is little or no reason to exercise any restraint.

I'm sure it has occurred to many that:

• there is no reason to cap the price at $100K per 0D
• there is no reason (yet) to commit to self-regulate

I don't think we can afford to look the other way or merely smile and indulgently admire the admittedly considerable skills of these open market "Vulnerability Researchers".

In all this, let us also not forget that Governments are paying our (taxpayer) money to actively grow this market. Oh yes, I forget. The Governments are only doing this to protect us. Strangely, I don't feel particularly safe on this account.

Center of the Universe

We've known this for a while. No, the Earth is not the Centre of the Universe.

Nor are you.

You may be the most skilled DBA in your company. Your coding skills may be legendary (at least among your friends).

Your company may be the best, biggest, fastest-growing or the most profitable in your space. Your country (or mine, for that matter) may be the shiniest, biggest, richest, or <insert-your-superlative-here>.

It is surprising to see many achievers lose perspective after they gain a bit of name and fame. The Centre of the Universe somehow stares back from the mirror. Every time. Without fail.

I propose that this is a manifestation of cause and effect mix up. The causation and correlation confusion.

You don't win your next game because you are the world champion. It is the other way around. You must win this game, the next and the next one after that if you are to stay as the world champion.

You don't demand that the customer give you the order because you are #1 in your space. You must keep winning more business and consistently perform at that level to retain that position.

You might want to ponder over this a bit.

I admit that if you qualify to be the target of this post, you may even find it amusing, though certainly not applicable to you.

So this is really for us, the other guys. It is for us consultants who write pre-qualification criteria in RFPs. The same consultants who recommend higher technical evaluation scores for you -- on the assumption that your offer must somehow be better because you are a "global leader" or the "#1 in the country" or in the "Leaders' Quadrant".

We need to figure out the best offer on the table; not confuse that with the top company at the table. We need to determine the best product for our needs, even if it is (or not) the top product!