Selling Vulnerabilities and Ethics

Shoaib just blogged on Hacking & Security Community - Ethical or Unethical?. To start with: I do not claim that I know all about ethics and that there is only one view on ethics but I have a clear view on certain things.

I blogged on this theme several times already and made my points pretty clear:

• Vulnerability Auction
• Selling Vulnerabilities?
• WabiSabiLabi and their view on ethics

When I talk to people who are selling vulnerabilities, they keep telling me that it is their right to sell their work and as they do vulnerability research for a living. So, let's use an analogy: How ethical would it be to try to find ways how to break into my house and then selling them to the people paying most as they will offer services to me to protect me? Is this ethical? Not from my perspective. If I would hire somebody to look for these vulnerabilities, this is a different game but I would then want to know them without going public.

WasbiSabiLabi tells us that they will not sell to the bad guys and that they check the identity of every buyer before they sell to them. So, we have to trust them.

Anyway, we have a policy that we do not buy vulnerabilities and that we are a supporter of the responsible disclosure policy. This is what we do and I am convinced that this is the right thing to do.

Roger