Security Research and Blackmail

harryjohnston alerts us to a story picked up by a few bloggers in the security space. A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.

Re:But...

[techno-vampire]

But who does use RealPlayer anyway, that this could possibly affect?

All the Aunt Tillies out there who use Windows because it came installed on their computers and have no idea what an operating system is. They use IE for the same reason, and when they want to hear an audio file, guess what IE tells them to install? One hint: it won't be VLC.

Re:Intellectual Property

[forgotten_my_nick]

"If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee?"

That in itself is a fair point. I mean what if you are working in the security industry and are trying to secure someones business. You certainly aren't going to do it for free.

The issue here is more like after the home owner saying they don't have the money or can't pay that you sell the information to whoever wants it. That I am pretty sure is illegal.

Why not compromise

[martinlp]

This is exactly what the Tippingpoint zero day initiative is for. To give credit and a bit money to researchers who spend time and effort to discover vulnerabilities in software.
Sure these researches should get money/credit, but what if they become greedy or irresponsible?