Yes, but the fact is that the last 10 years have changed the community
- whereas bugs used to be shared ahead of time among a group of peers
(including Free operating system authors) who were trusted to, and
generally allowed for a certain amount of time for mitigations to
happen before announcement, The fact is that now big dollars are spent
by all of the players on bug bounties and other such crap, with
sponsors having privileged access to the information (in other words
they aren't donors, they are paying for early access.)

So just as a hypothetical example, 10 years ago,  if certain
organizations knew about an endemic problem,  that would have been
shared ahead of time with the security community, (we all know who we
are) ahead of time and everyone would work to get their mitigations in
place in a controlled manner before disclosure so patches were
available immediately - and that used to happen pretty darn fast.
That doesn't happen any more now that most of this is monetized -
they're too busy being told to sit on it by their "sponsors" so full
disclosure actually seems to happen a lot later.

So, the short answer is, if you know about a problem and want to
monetize it - this is great news for you - there are many places with
organizations behind them with deep pockets that will buy your bug.
They organizations
with the money behind it get early access.  Finding bugs in that
environment is not about making software better anymore. You probably
don't *want* better software - you want more bugs. more bugs equals
more money. You probably *want* to keep things like the exploit
mitigation countermeasures in OpenSSL in the software - You certainly
don't want the code base to be easily auditable, and you certainly
don't want the tools that find the bugs
automatically and just get them fixed to find them.

Who loses? well, the rest of us.

So, if you know of a bug in such an organization (that itself sits on
bugs), what would you do? Tell the world for free? Monetize it? or Sit
on it?

I don't have an answer for you. All I can do is tell you the state of
the world :)  In the immortal words of a recently deceased friend of
mine, Life is Hard, Wear a Helmet.


On Fri, Apr 11, 2014 at 5:54 AM, Sascha Mester <> wrote:
> There is no really good reason why security-relating problems should be a
> secret - acceptable reasons for this behaviour never existed. The most
> harmful behaviour I have ever seen since I browse the web.

Reply via email to