Eureka! It's supply and demand, stupid!
I've been twisting for a very long time over the whole 'vendors should pay for vulns' mantra that has recently been enthusiastically revived by a bunch of independent security researchers who, to the best of my knowledge, have never actually worked for a software vendor to understand the engineering realities of developing enterprise software.
Tonight I realized why vendors don't need to pay a dime, and it has nothing to do with vendors buying silence or two researchers finding the same bug independently and the second researcher going Full Disclosure on the vendor because the first researcher already collected the bounty.
We can all stop debating what a critical remote code execution bug is going to be worth when there is an open market for vulnerabilities. An open market requires competition. And there will not be competition. Who is going to buy Apple bugs? Apple. Microsoft sure as hell isn't going to buy them, not without a whole lot of up close and personal attention from the nice folks at the DOJ. So let's say Apple offers $10 per RCE. Whaddya gonna do about it? Whine? Go sell it to iDefense? YOU CAN DO THAT TODAY.
So simple it makes me giggle that I didn't see it before. Econ101.
~E
Tonight I realized why vendors don't need to pay a dime, and it has nothing to do with vendors buying silence or two researchers finding the same bug independently and the second researcher going Full Disclosure on the vendor because the first researcher already collected the bounty.
We can all stop debating what a critical remote code execution bug is going to be worth when there is an open market for vulnerabilities. An open market requires competition. And there will not be competition. Who is going to buy Apple bugs? Apple. Microsoft sure as hell isn't going to buy them, not without a whole lot of up close and personal attention from the nice folks at the DOJ. So let's say Apple offers $10 per RCE. Whaddya gonna do about it? Whine? Go sell it to iDefense? YOU CAN DO THAT TODAY.
So simple it makes me giggle that I didn't see it before. Econ101.
~E
Labels: market, security, vendors, vulnerabilities
3 Comments:
This posts shows yo have spent a long time working for vendors.
Vulnerabilities cost money to find and develop. As a small business owner if a vendor does not want to help a researcher or company recoup the cost of finding these problems then there are lots of other ways. For instance Errata Security no longer reports vulnerabilities to vendors, we use them n pentests as a way to show a customer how they would respond to a real 0day threat.
There are tons of customers that want to know that. Throw them in a pot with the intelligence community that wants 0day as well you have a ton of competition for the information.
the intelligence community and private customers aren't going to publicly bid against vendors for 0-day. that's a dirty little secret no one wants to admit happens.
Dave,
If X costs money to do, perhaps you should have a contract in advance. That's what I tell the guy who washes my windshield here in NYC.
Post a Comment
<< Home