Then imagine a nightmare scenario. Your computer, with all patches loaded, is attacked by a hacker who possesses vulnerability information not in the public domain. They know a way in and there's no way to stop them; no patch for the security hole because your software supplier doesn't know it exists.
This is why software companies want security bug catchers to tell them when they find a flaw. They can write a patch and distribute it to customers before malicious hackers can attack systems through the weakness. But one such researcher, Dave Aitel, doesn't want to do that.
Aitel is a man with a reputation. In private, many security researchers say he's unethical; a rogue operator placing computer users across the globe at risk. Others say he's a gun researcher, protecting his clients in an era of irresponsible security practices among large software companies.
Aitel's company, Immunity, raised more than a few eyebrows in January when it released details of a security vulnerability in Apple's operating system software to the public without giving the software company prior notification. The result? Apple customers were aware of a security flaw in their software, and had no way to fix it.
But the very same vulnerability details were shared with Immunity's clients as far back as June, 2004. Why?
Aitel explained: "Immunity's policy on vulnerability information does not include vendor notification."
Aitel has a habit of answering the questions he wishes you'd asked, not the ones that you actually did.
But he offers this: the way he sees it, he's providing his customers with information about vulnerabilities in greater detail than the vendors, and that's a service worth paying for.
$100,000 will get you into Aitel's Vulnerability Sharing Club; $50,000 for smaller companies. Any company that joins must sign a non-disclosure agreement, so information about vulnerabilities in popular software doesn't fall into the wrong hands.
Needless to say, some vendors are less than impressed. George Stathakopoulos, Microsoft's chief security engineer, wouldn't talk about any specific company, but says responsible vulnerability disclosure is vital.
Continued ...
6%
2%
