Pfeil has used Aitel's services in the past, and is a satisfied customer. "I hired him to do a code review at our company last year. He did a very good job," he says.
While researching any article about Immunity, one thing became very clear: Aitel is popular. Even some of his biggest critics say he's funny and affable; one former colleague describes him as "hard not to like".
Aitel spent six years working with the National Security Agency in the US before moving to the private sector. Ron Gula, the creator of Dragon IDS and co-founder of Tenable security in the US, also worked for the NSA. Gula, a competitor of sorts to Aitel, shies away from vulnerability research. It's expensive, time consuming and not worth the hassle, he says.
But Gula has also benefited financially from finding vulnerabilities in software inadvertently, simply through the publicity. He knows finding bugs pays the bills, even when disclosure is handled differently. It's proof that the rational rules of commerce, and perhaps ethics as a knock-on effect, don't apply in the bug hunting game.
"The few vulnerabilities we've inadvertently discovered got Tenable on CNN and sent a lot of business our way," Gula says.
Even when a vulnerability was discovered in Dragon IDS, Gula said the negative publicity actually helped boost sales. "When Dragon first started, there was a lame exploit for it. This sent a lot of business my way ... [people] conclude if it is new and worth hacking, it must be good."
There is a demand for detailed information about security vulnerabilities out there, a market vacuum, and Aitel's moved to fill it.
"Software customers should require vendors to provide full, current, and accurate disclosure of every security vulnerability they know about, to their customers," he says.
"While the open source community generally follows this policy, closed source vendors often do not. Educated customers, particularly in the financial community, are now requiring independent third party assessments of software before they purchase it, and are beginning to push back on software vendors with regards to the information they get from them about vulnerabilities."
But Microsoft's Stathakopoulos says his company doesn't want to bury vulnerability information, it just wants to slow down its release. "What worries me is the increase in releasing proof of concept code," he says. "I would like to see the industry self-regulating and delaying the release of POC for at least 90 days."
Proof of concept code exploits a security vulnerability, but doesn't grant access to a vulnerable machine; it's a test. However, armed with a basic POC anyone with some basic programming skills can alter the code and turn it into a fully fledged exploit.
Continued ...
14%
7%
