Thursday, February 01, 2007

A Lively Market in Software Bugs

From The New York Times
This month, iDefense Labs, a subsidiary of the technology company VeriSign, said it was offering $8,000 for the first six researchers to find holes in Vista, and $4,000 more for the so-called exploit, the program needed to take advantage of the weakness. …

The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them. …

[T]here appears to be nothing illegal about the act of discovering and selling vulnerabilities. Prices for such software bugs range from a couple of hundred dollars to tens of thousands. …

Marc Maiffret, co-founder of eEye Digital Security, a computer security company, said prices in the evolving black market quickly proved higher than what legitimate companies would pay. “You will always make more from bad guys than from a company like 3Com,” he said.

Even ethical researchers feel that companies like iDefense and TippingPoint do not adequately compensate for the time and effort needed to discover flaws in complex, relatively secure software.
I think this is great. At least it brings security holes into the marketplace. Now we know what they are worth.

Microsoft has apparently refused to pay people who discover security holes in its software. That's both foolish and stubburn. A Microsoft error now has a real market value price. Since it's an error Microsoft made, it should accept responsibility for it and pay for it.

This sort of market might also allow victims of security holes to establish a price if they sue for negligence. If Microsoft refuses to pay for information that would allow it to fix one of its own mistakes and then someone suffers a loss as a result of that security hole, Microsoft looks very vulnerable.

No comments: