I wrote several times already about responsible disclosure and irresponsible disclosure. My point on that is clear: Every vendor has to have transparent and clear processes to handle vulnerabilities. These processes ensure that there will be a timely reaction on responsible disclosed as well as on irresponsible disclosed vulnerabilities causing so called zero-days. These zero-days pose a major risk to all the computer users on the Internet. One could agree now, that not the zero-day is the problem but the vulnerability itself.
Let's take an analogy: My house has certain protection measures against burglars but there are limitations and certainly vulnerabilities. What would you argue there? Is it my fault if the burglar gets in the house or is it a criminal action? It is clear isn't it? How would you think if somebody would pin a piece of paper at the blackboard of the local shop describing in detail how you would be able to break into my house? Not really ethical, isn't it? What would you think if the person would actually sell this information on an Internet auction? Would this be ethical? Criminal?
So, let's come back to the IT industry: I am a firm believer of some facts:
- As stated above: Every company has to have transparency in its processes to handle those vulnerabilities without "zero-daying" itself - meaning making previously responsible disclosed vulnerabilities public.
- Each fixed vulnerability shall be transparent. There are very few exceptions to that rule of the company itself finds the vulnerability and nobody outside knows about it.
- Making vulnerabilities public puts the ecosystem at risk and is definitely unethical - not saying criminal
So recent history showed that there are people who start to look for vulnerabilities for a living - not being paid by the vendors (e.g. I hire somebody to find the problems at my house) but on their own. They wanted then to sell them to the vendors. Our policy here is crystal clear. We do not buy vulnerabilities. We acknowledge the finder in the bulletin. Additionally we bring them together with our Executives and developers at a conference called "Bluehat". As the selling did not work, they sold them on e-Bay. e-Bay acted responsibly and blocked these auctions. The "highlight" now is a new auction site I found, auctioning only vulnerabilities. They have an interesting ethics: "xyz is aiming to a single moving target: to bring the world closer to zero risk.
If the world must become a safer place, the first part of the recipe is simple: to provide a better rewarding for the security researchers, organising an efficient and transparent marketplace, here to maximise the results of their efforts." But going back to the house analogy: If I do not ask anybody to look for vulnerabilities in the concept how I defend my house and somebody finds it and then wants money for that - looks to me like blackmailing.
Coming back to ethics: Why is it always so different on the Internet? Why do people think that selling "vulnerabilities" of my house would be blackmailing but selling software vulnerabilities is making the world a "safer place".
Last but not least, are you sure who is buying the vulnerabilities? Are they criminal? Are they willing to fix the problem? The auctions started around €500 and they actually have bidders already…
At least it seems that I have a different set of values as they do but this might be the reason why I work for Microsoft. If you remember the pillars of Trustworthy Computing: Security, Privacy, Reliability, Business Practices and these practices definitely do not fit to our values