Market for zero-day vulnerabilities incentivizes programmers to sabotage their own work


16 Responses to “Market for zero-day vulnerabilities incentivizes programmers to sabotage their own work”

  1. checht says:

    “Incentivizes” – ouch. “Provides Incentive” too old school?

  2. Vanwall Green says:

    Like making zip guns for a coupla bucks apiece, and selling them to the Cops for $300.00 each, and keeping the real guns on the street. 

  3. Avram Grumer says:

    It’s a bad day when the tech industry follows in the footsteps of an almost-20-year-old Dilbert cartoon

  4. devilsdue says:

    One of the underlying problems is those EULAs we all click through that absolve developers of any and all damages that may come from using their software.   Ask yourself: If money can be made by putting intentional faults into security products, why aren’t bank vaults broken into all the time?  The answer is in the liability, as well as the licensing and bonding process that vault makers and locksmiths must go through in order to sell their products and services.

    Of course, that would require regulation.  A naughty word in politics today.

    • Moriarty says:

       Well, that and the fact that nobody wants to buy a crappy bank vault.

    • foobar says:

      Bank vaults are pretty simple compared to software, yet if they were exposed to everyone on the internet I’d imagine they’d get opened pretty quickly.

      • devilsdue says:

        Bank vaults, and for that matter any kind of traditional physical security, are as exposed as any Internet connected computer.  The only reason you perceive them to be less exposed is that vaults tend to be at the center of nested layers of security, and that the difficulty of tackling that security outweighs the benefits of breaking in.  Furthermore, when break-ins do occur, banks are required to inform authorities and the bank’s customers that such a break-in did occur.

        Instead, you have systems where single-point vulnerabilities lay open entire networks to outside access.  Worse, now the developers of those systems (and the software the systems run) have an incentive to ensure they are insecure.  Allowing those developers to limit their legal liabilities to customers only increases that incentive to sell out those same customers.

        • foobar says:

          To take a whack at a bank’s security, you have to actually go there and run the risk of arrest. You can go at whatever server you like from a coffee shop with practically no chance of being identified.

          Moreover, you can usually get a copy of software to attack in the privacy of your own network.

  5. fettemama says:

    That’s disgusting! Developers should be prosecuted!

  6. tré says:

    Don’t hate the player…

    (but seriously, this whole thing needs to be taken care of by some serious market regulation.)

  7. stephenl123 says:

    I notice you mention governments and businesses paying for zero day vulnerabilities.  But you don’t mention criminal organizations doing the same thing.  Is it that you think the black market for vulnerabilities is not a major part of the market?

    • JonS says:

      Of course they are … they’re /criminals/. But the Govt – if not businesses – are supposed to be looking out for our interests, not looking for new ways to sell us down the river.

Leave a Reply