Are vulnerable times responsible times?

(continued from previous page)

"Any individual or organisation that behaves in a way that potentially puts ... customers at risk is a huge concern," he says. "We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities."

Greg Shipley, chief technology officer of Chicago-based security outfit Neohapsis, holds back judgement but says the existence of private vulnerability sharing clubs like Aitel's raise some serious ethical questions.

There are millions of unknown vulnerabilities and the software manufactures should not be forced to purchase these. How much are they worth? Who sets this value? -- Ron Gula, creator of Dragon IDS

"When you start talking about advanced release times, publishing exploit code, and introducing a mercenary angle to what is essentially ... a public quality assurance process, you start entering some really murky waters," he says.

The trade in information that allows the buyer to easily penetrate computer networks is dangerous, Shipley argues. "If it simply boils down to the highest bidder, we're in for some real problems."

"If anyone with a few dollars can afford to 'buy into' such an information ring and get access to tools that blow past most corporate defences, what's to stop some truly malicious folks from using that information for truly evil purposes?" Shipley asks.

"Zero-day", or unpublished security vulnerabilities are becoming the "tactical nukes" of cyberspace, Shipley argues; the Holy Grail. He doesn't want to see them falling into the wrong hands.

But Ken Pfeil, chief security officer at Capital IQ, a web-based provider of financial data services, isn't alarmed. Services offered by companies like Immunity are ethical, "as long as they hold the information to themselves and sign the members to a non-disclosure agreement". Still, he does acknowledge the sensitive information may "leak", but that's not Aitel's fault, he says. Vulnerability information leaks have sprung from other sources, like the Carnegie Mellon University-based research outfit CERT, which receives US government funding.

"No one holds CERT accountable when a member leaks information, so why would this be any different?" Pfeil asks.

Perhaps some in the security industry are merely annoyed Aitel has the gumption to turn vulnerabilities into cash in such a controversial way. Having access to vulnerability information if you're a researcher seems to be a lesser sin in the eyes of many. It's ironic, considering some prominent researchers have been known to dabble in illegal activity.

Continued ...

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Be the first to comment on this article!

Add your opinion

All fields are required

Subject:
Comments:
Full name:
E-mail address:

Your e-mail will not be displayed

Posting options:

Display all details Do not display details

Security Code:

You must read and type the 6 chars within 0..9 and A..F

 

• Just In

• Most Popular

• Most Discussed

Login

E-mail Password (forgot?)

Login Remember

Like 124,000 other people join the community and get the latest news from the IT industry.

Reader Services

Popular Topics

Essentials