Archive for May, 2009

No more free bugs? Is bullshit.

May 14th, 2009 1 comment

So this will be hard to swallow for some. Particularly those who idolize folks like Charlie Miller, Dino Dai Zovi, and Alex Sotirov. Or whoever you know that found some amazing hack and paraded it around to win themselves a few minutes of supergeek fame.

Business 101: You can’t forcibly create a market where there isn’t one. It doesn’t work, it never has, it never will. So for those “vulnerability researchers” who are complaining how they are getting the shaft from software vendors who won’t pay them for their software, I hate to break it to you, but you’re shit out of luck, methinks. I think you inevitably have one of three options:

  1. Keep finding bugs because you love finding bugs. Get your little minute of fame, and maybe your new MacBook or whatever, and STFU.
  2. Sell your bugs to WasiSabiLabi or iDefense or some other marketplace. Maybe even an underground marketplace if your ethics are questionable.
  3. Stop doing it. Get out. Find a new hobby. Get some sun, maybe – slowly, though, that pasty skin will burn if you’re not careful!

In a recent article in SC Magazine, Dino Dai Zovi states the following:

“Vendors have been getting a freebie for a while,” Dai Zovi said. “[But] why would I want to sit down and volunteer to find a bug in someone’s browser when it’s a nice, sunny day outside?”

Well, great question! Just DON’T! Seriously, are we all supposed to have some sympathy for folks who volunteer their time to find software bugs? Another dose of reality: all software has flaws. I can live with this. It’s just a part of business. So stop trying to make it seem like it’s these terrible, sloppy vendors who code so badly that SuperSecurityCoderMan has to come in behind them to show them all how bad things really are! Geez. Just SO SICK of this. I respect your skills, bro, but either help the community, take your 15 minutes and move on, or just stop with it already.

The other argument I hear is that “if I didn’t find this bug, some evil h@X0r would”. OK, let it happen. Seriously. If it happens, it happens, we can’t avoid the inevitable forever. But lose the martyr act. I, for one, am over it.

Categories: Information Security, Rants Tags: