More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them "responsibly" to the vendor whose products are affected.
At a breakfast briefing organised by e-mail security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting.
"I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under "responsible disclosure" or pay off my mortgage, which one do I choose?
Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder.
"The economy on the market place is facilitating the sale of everything you want from custom Trojans to rootkit and moving through to things like vulnerabilities, which are a marketable commodity," said Ingram.
Last week, security firm Finjan published evidence, which was compiled by the company's Malicious Code Research Centre, that showed examples of vulnerabilities being sold online.
Finjan's chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand -- and therefore the price -- goes up.
"The name of the game is money … we see a trend towards commercialisation of malicious code. Motivated by financial gain, hackers are honing their skills and becoming more ambitious, targeting the growing numbers of Internet users and stealing personal details and financial information, as well as compromising intellectual property," said Ben-Itzhak.
In Finjan's report, the company published screenshots of e-mails that seem to be already soliciting bids for vulnerabilities in Microsoft's IE 7 and Windows Vista, which is not going to be released until next year.
""I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under "responsible disclosure" or pay off my mortgage, which one do I choose?"
Doesn't anyone but me find this a little disturbing? Is "vulnerability researcher" the new term for cracker? What does it indicate about the lack of ethics and conscience? Do you really think that someone who is willing to pay enough for a vulnerability to "pay off a mortgage" is going to use the information for good?
I would hope that they would choose the option that allows them to face themself in the mirror every day, instead of the one that places them on the side of criminals preying on people who have never done them any harm. But I'm beginning to lose faith in that...