Monday, March 23, 2009

Reflections on 0-day disclosure

With the topic of no more free bug disclosures heating up and people taking sides I figured I would once again take the opportunity to point out some flaws in each side's argument...

First, at those that are claiming that because security researchers (legitimate, ethical ones like Alex, Charlie and Dino) are asking to get paid for the bugs they find that they are somehow being irresponsible and will somehow usher in the apocalypse ... get over it. Like the author here points out ...
"Security vulnerabilities exist, they always have and they always will. Get over it. Bugs exist much longer than days as it takes most vendors months to fix anything and once you have reported the bug to a vendor — it is no longer a secret"
... that is absolutely right. Allow me to add to that brilliant statement by saying that those bugs are likely known by others ... for a time previous to the date of their disclosure. A security bug's first effective date is the day the software is released, not the day that it's publicly announced. Not disclosing it isn't the same thing as using it for evil... don't equate the two.

Now, on to the other side. It's everyone's responsibility to push for better security. We're not going to get there by trying to get vendors to pony up cash rewards for disclosing their bugs to them - real people and systems are at real risk. You're [likely] not the only one who knows about this bug so as a good guy you're ethically challenged to do the right thing and disclose to the vendor so it can be mitigated. If you're hoping to get paid handsomely [or at all] for finding security bugs - you're wearing the wrong colored hat...

The bottom line? While they're technically not doing anything wrong, asking to get paid is a fair request. In a perfect world you would get compensated for your hard work ... but you and I know you don't live in that perfect world where research is compensated so do the right thing, disclose the bug, or admit you'd rather be a black-hat.

1 comment:

Ross Thomas said...

I agree absolutely. Nice post :)

Google+