Exploit Sales: the New Disclosure Debate

msm1267 writes "There are a lot of echoes of the disclosure debate in the current discussions about vulnerability exploit sales. The commercial exploit market has developed relatively quickly, at least the public portion of it. Researchers have been selling vulnerabilities to a variety of buyers – government agencies, contractors, other researchers and third-party brokers – for years. But it was done mostly under cover of darkness. Now, although the transactions themselves are still private, the fact that they're happening, and who's buying (and in some cases, selling) is out in the open. As with the disclosure debate, there are intelligent people lining up on both sides of the aisle and the discussion is generating an unprecedented level of malice."

WTF

[donaggie03]

WTF is this article even about?

exploit sale = nondisclosure

[bouldin]

The only interesting exploit is one that hasn't been patched, right? So anyone who discovers, sells, or buys an exploit knows of a vulnerability and is choosing not to disclose it.

By not disclosing a vulnerability, you are allowing others to be vulnerable. It's hard to argue that this is ethical behavior...

Here's an analogy: what if, for every nuke the U.S. destroyed, a nuke disappeared from every other nuclear arsenal in the world? That's what it's like.. by keeping a vulnerability secret, it can be used against anyone using the software. By disclosing the vuln, everyone can patch, disable, or protect the vulnerable software.

Re:exploit sale = nondisclosure

[michelcolman]

Being paid for finding a vulnerability and keeping it secret sure beats getting sued for disclosing it responsibly.

Re:exploit sale = nondisclosure

[thoth]

It's hard to argue that this is ethical behavior...

Sounds like the free market to me, buyers and sellers auctioning off products in a competitive environment. Perhaps corporations with their billions of quarterly profits can reinvest that money into buying exploits so they can fix them.

Re:exploit sale = nondisclosure

So long as people *CAN* patch / disable / protect the vulnerable software.

With the rise of things like locked / encrypted bootloaders, appstores, and lack of updates without a new hardware purchace, I'd say that idea will soon be (if not already) restricted to a very small class of citizens.
(I.e only those who would care about such things. The majority will just roll over and take it, as usual.)

That and if the summary is to be beleved, I would also imagine that the governments of the world will want to outlaw patching "their" exploits.

As far as the disclosure goes you're right it's not ethical from a public safety standpoint, but if you are selling exploits in the first place you most likely don't have that as a goal. Especially if you want some real money for it.

Re:exploit sale = nondisclosure

[plover]

Here's the counter argument. Let's say you accidentally discover a vulnerability in a bank's web site by mistyping a URL and you ended up at a different customer's account. You write up your finding, and you privately send it to the bank's security team and ask them for nothing in return other than that they act quickly to protect your account. And let's say they turn around and accuse you of hacking them under the Computer Fraud and Abuse Act, and they provide your own written report to the Secret Service as evidence against you? Who is the ethical party?

How would money alter the ethics? If you gave them the details of the flaw and asked the bank for a $1,000 reward, would that change things? What if you offered to tell the bank of the flaw in exchange for $1,000? If they don't pay, are you ethically bound to not sell the vulnerability to a third party?

What if you don't know of any specific flaw in your bank's site, but you would like to make some side money as a pen tester; so you send them a letter asking if they have a "pay for vulnerability policy", and they respond by placing a hold on your account and calling in the Secret Service? Who is acting ethically in that scenario?

What if you fear retribution so you ask this question anonymously? Are you more or less suspicious to the bank? Should they be more or less likely to seek your prosecution?

What if you exploit the vulnerability personally to view Paris Hilton's bank balance, but you don't do anything malicious to her account? What if you disclose that balance information to the tabloids? What about viewing the bank data of a non-celebrity?

And if not the bank, which third party might you sell it to? A security researcher? A competing bank? Microsoft? A hacker? Some random alias on darkode?

Different people are likely to view these behaviors differently, including banks, law enforcement, hackers, computer security professionals, lawmakers, bank customers, and the general public. Different legal cases with different judges are likely to interpret these differently, as well.

There are few clear cut lines standing out among these questions that say "here are the exact boundaries of ethical behavior."

modern day defense contractor

[anthony_greer]

There is nothing different between this and the practice of huge companies selling death machines to the militaries of the world, and the occasional non state para military planing a takeover or something - tanks, bomber jets, missiles and so on - how is this any different? the security researchers work to create a product - i.e. a vulnerability, then sell that information, the product of their effort - to a willing customer.

Its a nasty business, you can question the morals and ethics of it, but it really is no different than companies that sell guns and bombs to whatever crackpot thug has a truck full of cash or gold bars...