Imagine this:
Is there anything wrong with this scenario? You bet there is.
- You have two neighbors, both are highly skilled in surveillance & breaking in.
- Both of them thoroughly scan of your home (from far, of course) voluntarily.
- They finds a few flaws that you wouldn't know -- but would allow a thief to bankrupt you.
- One of them wants to sell this information and make money that befits his expertise. To you, to your builder, or to the government. (interesting question: what happens when none of the three agree to buy?)
- The other never mentioned any of this to you, but directly put up the "exploit" for sale to the highest bidder in an "open market" meant for highly specialized buyers (of the type that you aren't).
This is what is building up in the InfoSec world under the garb of Vulnerability Research. I am sure we all understand the logic of "we need to make a living", "we have a right to market our skills" and even "we have a right to get rich".
That "We tried until 2010 to convince vendors to decently pay researchers without success" almost sounds noble.
But to say "L is for Liberties, and exploit sale is a liberty" as VUPEN (@VUPEN) CEO Chaouki Bekrar (@cbekrar) shamelessly tweeted is a bit too much for me.
Where is this going?
Vulnerability Research (as in the scenario above) is turning into a thriving market. Though some players are spouting KYC and self-regulation to support their activities,
"... ask your favorite vendor to pay researchers $100K per 0D ..." andit rings hollow.
"... I confirm we don't sell to repressive regimes ..."
Of course, other players are simply discrete about what they do -- and don't promise any such restraint. That is surely no less of an issue.
Statements like
"... You are not a judge, and we are not in a court ..." andjust about sum up the attitude and any shatter any pretense of ethics. It appears that "there is no law against it, so we'll do what we please as long as we can get away with it" is lurking right underneath this "business model". At this rate, sooner than later, we could see specialized "Vulnerability Research" markets come up in the fields of ATMs, Credit Card terminals, and more. They would of course, begin by selling the exploits "at a decent price", "only to non-repressive governments" and with "thorough Know-Your-Customer norms".
"... we really don't care nor give a shit about your thoughts on exploit sales ..."
We are witnessing the birth a thriving market of Vulnerability Research where anyone more skilled than you are is free to poke around and blackmail you.
As the market expands, people have more incentives to turn into Vulnerability Researchers (not to be befuddled by the more innocuous term "Security Research") -- and there is little or no reason to exercise any restraint.
I'm sure it has occurred to many that:
- there is no reason to cap the price at $100K per 0D
- there is no reason (yet) to commit to self-regulate
I don't think we can afford to look the other way or merely smile and indulgently admire the admittedly considerable skills of these open market "Vulnerability Researchers".
In all this, let us also not forget that Governments are paying our (taxpayer) money to actively grow this market. Oh yes, I forget. The Governments are only doing this to protect us. Strangely, I don't feel particularly safe on this account.
