This post inspired by reading a story from Rich Mogull (Securosis) about VoIPShield deciding to effectively sell exploits. In case it is unclear, I’m initially in agreement with Rich’s sentiments.
At what point do you cross that strange line? I hesitate to give that line a name, since it might change the connotation a bit, but the line name I had in mind initially is “black hat.” Take these scenarios into consideration:
1. Security research firm (SRF) finds vulnerabilities and fully and freely reports them to the victim vendor and maybe the world at some point as well.
2. SRF finds vulns but only reports them to vendors, fully and freely.
3. SRF finds vulns and fully and freely reports them to the world immediately.
4. SRF finds vulns but only sells them to the victim vendor.
5. SRF finds vulns but decides this adds to their value as an SRF and keeps them secret as part of their stash of “we can own you during an assessment” tricks.
6. SRF purchases other vulns to add to their stash of tricks.
7. SRF finds vulns and adds them to their proproetary exploit tools that they sell to anyone.
8. SRF finds vulns and sells them to interested parties, whether they be the vendor or not.
9. SRF finds vulns and uses them to attack vulnerable sites/apps to steal information, i.e. criminal gain.
Quite often, we demonize criminal black hats because they’re realizing monetary gain at someone’s expense against the law. But where do vulnerability shops fall into the whole realm of things? Especially those who will sell vulns to the public. That’s like full-disclosure with a price tag…so in a way that is a monetary gain while possibly supporting criminal activity. Now, exploit-offering sites probably have indirect gain to their moderators and authors even if there is no charge, simply because of the knowledge and notoriety gains.
Maybe you can draw the line on whether utility is being experienced or not, i.e. is the general public more secure for your actions? Is there a legitimate value to your security efforts? If not, then we should all be working for free, right? Or what about intent? I might be making guns, but my intent is not to kill people even if I close my eyes while selling this gun to an obviously mental lunatic. So does that mean regulation of exploits be a government matter (like it is in some countries, for better or worse).
It’s an interesting road to think closely about…