Security researchers servants of a morbid system

Yesterday I was reading an article based on a Microsoft report titled “Security researchers exploiting vulnerabilities“.

For me, somebody who born in the security and hacking scene, it’s total nonsense. The community has been, finally, destroyed by a short sighted security market around five years ago in the five years before.

Underground is dead, hackers were saying. As in an Andersen tale.

The fact is that nowadays exploit development gone underground or in the direction of paid bounties and “intelligence” exploit packs, eg: in the money direction.

Since not every hacker or researcher want to play this sick and ethic-less game (see the disappearance of the Full Disclosure mailing-list for instance) less vulnerabilities are researched and disclosed pro-bono, and if you want to access that knowledge you need extensive financial resources.

What is the result?

Vendor, big intelligence agglomerates and security corporations can tell people that they did a great job in securing the world while the truth is exactly the opposite. High impact vulnerabilities are now a bargaining chip and will not be disclosed publicly in a timely manner.

For who believed in the Full Disclosure paradigm this is the last lost battle of a lost war.

Full Disclosure is part of a real Responsible Disclosure process, notify the vendor and force him to fix the issue fast as it will be available to the public soon, and let the people know the risk they are or were exposed to. Or feel free, also form an ethical point of view, to disclose the issue directly. This allowed independent security researchers to get the credit they deserved while guaranteeing transparency, naturally really little money was involved.

With the current model of vulnerability trading the researcher loses any control on the disclosure process, that could not happen at all.

It’s easy to speculate, seen the facts that are emerging every day (NSA, artificial crypto-weakness, cyber-intelligence and offense), that information gathered for a fraction of it’s value is now retained for an indefinite amount of time to allow it’s exclusive access and use by a number of well known actors.

Call me idealistic but this maturity model smells of control.

Information is not free anymore.

–Francesco Ongaro
https://twitter.com/isgroupsrl