Some see the release of POC as a way to force software vendors to produce working fixes. If millions of users have the ability to test a security patch with the POC, then the vendor had better make it a good fix.
If there's one thing Stathakopoulos is getting very sick of, it's having to drop everything -- including holidays or social plans -- when a security researcher slaps an undisclosed vulnerability in a Microsoft product onto a public mailing list. "You have to leave whatever you doing to go to work and start the process of releasing a security update," he says.
What if software vendors started paying bug-finders for information about security flaws: would this help or hinder? Shipley has doubts. "There's a fine line between fiscally compensating one for their work, and creating a framework for extortion possibilities," he says. "It's that line that I worry about."
But Aitel notes it's not the "security community" that actually finds most of the bugs. "Vendors typically do pay a fee to people who find bugs in their software; they call that fee their 'salary'," he quips. "Most people finding bugs in a vendor's software are QA (Quality Assurance) engineers who work for the vendor." The public never knows about those bugs because they're fixed before the product ships.
Gula agrees with Shipley. If vendors are obliged to pay for bugs, such a scheme will amount to extortion. "There are millions of unknown vulnerabilities and the software manufactures should not be forced to purchase these. How much are they worth? Who sets this value?" he asks.
So who's to blame for the current state of affairs? Vendors blame irresponsible researchers, and some researchers blame the vendors. While there are bugs being found, researchers will always seek to earn money from them. They'll sell them, or use them for marketing purposes; nothing says "look at me" like a zero-day in Windows.
Until that changes, the security industry will look like the Wild West for a long time to come. For now, it's the users left in the middle.
This article was first published on silicon.com. For more coverage on silicon.com, click here.
14%
7%
