Matthias Kirschner
2013-11-26 05:58:05 UTC
David Wheeler wrote an interesting article about the economics of
vulnerabilities. He fears that the current ??vulnerability bidding wars?
[...] will create an overwhelming tsunami of zero-days available to a
wide variety of malicious actors.? Beside describing some general
problems of bounties in the security field, the main point of his
article is the idea to increase security by criminalising the selling of
?vulnerability information to anyone other than the supplier or the
reporter?s government.?
http://www.dwheeler.com/blog/2013/11/16/#vulnerability-economics
About the effects of the vulnerability economics on Free Software
Wheeler writes:
The current situation might impede the peer review of open source
software (OSS), since currently people can make more money selling
an exploit than in helping the OSS project fix the problem.
Thankfully, OSS projects are still widely viewed as public goods, so
there are still many people who are willing to take the pay cut and
help OSS projects find and fix vulnerabilities. I think proprietary
and custom software are actually in much more danger than OSS; in
those cases it?s a lot easier for people to think ?well, they wrote
this code for their financial gain, so I may as well sell my
vulnerability information for my financial gain?.
(Also posted on
https://blogs.fsfe.org/mk/vulnerability-economics-and-free-software/)
Best Regards,
Matthias
vulnerabilities. He fears that the current ??vulnerability bidding wars?
[...] will create an overwhelming tsunami of zero-days available to a
wide variety of malicious actors.? Beside describing some general
problems of bounties in the security field, the main point of his
article is the idea to increase security by criminalising the selling of
?vulnerability information to anyone other than the supplier or the
reporter?s government.?
http://www.dwheeler.com/blog/2013/11/16/#vulnerability-economics
About the effects of the vulnerability economics on Free Software
Wheeler writes:
The current situation might impede the peer review of open source
software (OSS), since currently people can make more money selling
an exploit than in helping the OSS project fix the problem.
Thankfully, OSS projects are still widely viewed as public goods, so
there are still many people who are willing to take the pay cut and
help OSS projects find and fix vulnerabilities. I think proprietary
and custom software are actually in much more danger than OSS; in
those cases it?s a lot easier for people to think ?well, they wrote
this code for their financial gain, so I may as well sell my
vulnerability information for my financial gain?.
(Also posted on
https://blogs.fsfe.org/mk/vulnerability-economics-and-free-software/)
Best Regards,
Matthias
--
Matthias Kirschner - Vice President FSFE
Sch?nhauser Allee 6/7, 10119 Berlin, t +49-30-27595290 +49-1577-1780003
Weblog (blogs.fsfe.org/mk) - Contact (fsfe.org/about/kirschner)
Receive monthly Free Software news (fsfe.org/news/newsletter.html)
Your donation enables our work (fsfe.org/donate)
Matthias Kirschner - Vice President FSFE
Sch?nhauser Allee 6/7, 10119 Berlin, t +49-30-27595290 +49-1577-1780003
Weblog (blogs.fsfe.org/mk) - Contact (fsfe.org/about/kirschner)
Receive monthly Free Software news (fsfe.org/news/newsletter.html)
Your donation enables our work (fsfe.org/donate)