Page 33 - index
P. 33
Sometimes, it’s sold to competitors. Other times, it’s sold to governments. Pricing can range
from 5 to 7 figures, and many of the larger customers actually pay for catalog-styled
subscriptions that give them access to 100-or so industry vulnerabilities, per year.
Smaller software companies, on the other hand, usually cannot afford to play this zero day
game. This often means that independent researchers don't bother to find flaws in smaller
company's products, even if the products are good and lots of people use them. It can also
mean that if zero days affecting smaller companies are found, for-profit researchers stand to
earn much more by selling the knowledge to a larger (walleted) competitor and never telling the
affected company or its users.
The firms that find and sell these vulnerabilities can be found through a simple Google search.
There are many, and anyone who runs this search will also find that scattered throughout the
results there are also more than a few articles on ethics.
Zero day knowledge may be fundamentally different from zero day exploitation – but the
question of whether people should sell the former to prevent the latter remains unresolved. In a
free market vulnerability economy, the only thing stopping a research firm or broker from selling
a zero day to a cybercriminal or repressive government is that research firm or broker’s moral
compass. Many feel that this barrier is much too subjective and much too easily swayed by the
amount of money that is involved. Many also worry at the fact that most zero day salesmen
have sworn to keep their client lists absolutely secret.
For users affected by security bugs in the products they buy to manage their work and
their lives, the question that needs to be answered is whether for-profit zero day
research has a net positive or net negative effect.
Fundamentally: Is software safer in a world where zero day research is privatized? Or is
vulnerability salesmanship simply Malware Lite?
As always, we'd love to hear your thoughts.
Have a great (zero-free) day!
About the Author
Steve Nowicki is a freelance writer from Illinois. He has an interest in how
people interact with technology and how these interactions continue to
transform society. You can find more of his work on information security at the
Emsisoft Blog.
33 Cyber Warnings E-Magazine – November 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
