People will decry this, but I'd argue a free and open market for vulnerabilities would be a great thing. Here's why:
1) It would result in more vulnerabilities found
This is fairly axiomatic. An open market increases the price of vulnerabilities which in turn increases the number of vulnerabilities found (unless you want to argue the ability to find vulnerabilities is inelastic for some reason).
2) It would result in more vulnerabilities being disclosed to the proper authorities rather than malicious parties
This is more debatable, but since there should always be significantly more incentive on good actors to prevent the exploit (i.e. the software creators and/or community) than bad actors, the good actors should always win the bid. Indeed, one could argue that it is only the prevention of free negotiation in the sale of vulnerabilities is the reason an exploit is ever sold to bad actors (e.g. if I found a Windows vulnerability and told Microsoft $10m or else, I'm a criminal).
3) It would ultimately increase the quality of software
Given more vulnerabilities are found and more vulnerabilities would be disclosed to good actors, the quality of software increases.
I believe that 2) is essentially the Coase theorem (http://en.wikipedia.org/wiki/Coase_theorem), but I am only
an arm-chair economist. Also, I'm not sure that what Mitnick is doing actually is a free and open market for vulnerabilities.
I upvoted, not because I agree, but because I believe the people downvoting you are downvoting because they disagree and not because your comment shouldn't be heard.
Imagine he had said: I believe a free and open market for weapons would be a good thing, because it would reduce the number of defenseless people, would result in a power imbalance that puts generally-okay actors at an advantage (say what you will, but the mob doesn't have 1% of the resources the US government does), and would therefore reduce crime.
I do not personally find that argument compelling (and it is of identical structure to the above), but me disagreeing with it does not mean it isn't of sufficient quality for Hacker News.
I don't think the weapons analogy is a good one. For the developer of the software the purchase of the "weapon" is also essentially makes all other instances of that weapon useless forever (assuming customers patch promptly).
Perhaps restricting the analogy to nuclear weapons would make sense. Only nation states (software companies) and terrorists (malicious hackers... and perhaps intelligence agencies) would be interested in purchasing such weapons.
> I do not personally find that argument compelling (and it is of identical structure to the above)
Replacing "vulnerabilities" with "firearms" while retaining the same argument structure does not mean that both arguments are logically identical (a false equivalency). The implications of a free market for information security and a free market for firearms are totally different.
With some round of the vote tweaks they did earlier this year it seemed like there was a huge amount of extra volatility injected in the early up/downvotes. Almost any comment on how a comment has been voted down seems to wind up wrong within a half hour or so. And this happens quite a lot.
Thanks. I was disappointed to see downvotes rather than engagement in the argument.
You prompt a fascinating hypothetical: suppose all the world's atomic weapons were put up in a free, transparent auction? (i.e. bidders and bids are disclosed)
I'd argue that most would end up in the hands of good actors (e.g. the world bands behind the Dalai Lama to buy and destroy them all), but who knows? Good debate topic for happy hour, though.
I'm not sure you can, in practice, have a completely free and open market for vulnerabilities, since any information about the vulnerability released broadly is likely to shorten the path to others discovering the same vulnerability [1], devaluing it implicitly through partial disclosure. So there's an interest in the market being small and secret. For the seller to keep the price high and for the buyer to maintain exclusivity on the exploit.
[1] As a case in point, I showed the headline of the email for the bash vulnerability to a coworker today on the commute and he instantly described in accurate detail how it probably works. Not that this was a particularly difficult case, but I think the principle holds.
> This is fairly axiomatic. An open market increases the price of vulnerabilities which in turn increases the number of vulnerabilities found (unless you want to argue the ability to find vulnerabilities is inelastic for some reason)
Wait a second...won't increasing the number of vulnerabilities found push prices down? If I'm looking to penetrate a system I only need to buy one vulnerability, so in effect different vulnerabilities are somewhat fungible and so should compete on price. Hence, if more vulnerabilities are being found and coming to market, prices should be going down.
On the other hand, with a free and open market for vulnerabilities there would likely be people who would NOT have bought vulnerabilities on the black market buying vulnerabilities on the safer, easier to use free and open market, so demand could go up, raising prices.
>An open market increases the price of vulnerabilities
That's impossible to tell. You could just as easily say that the price will crash when you take away all the costs and risk of running a black market and give buyers a place to compare multiple "products." The demand side could just as easily be inelastic (or at least saturated) as the supply.
> the good actors should always win the bid
This works if you're talking about Microsoft, but not if you're talking about smaller companies or open source products. Maybe a Google or a Facebook would step up and pay off the market for things that they use, but "the rich people will take care of us" is not a setup that I'm comfortable with.
But you aren't choosing between a perfect world, where bugs get reported only to the vendors and the vendors promptly fix them, and an open market. Right now, governments and shady corporations are already buying. If it costs some company $250k or $1M to buy their vulnerability, maybe they'll work harder in the future. Or hire their own pen testers. And they'll have the money, because almost by definition attractive vulnerabilities are those in widely used software.
In the complaints about auctioning off vulnerabilities it's hard to avoid hearing companies bitching that they may have to pay security researchers, and it will be harder to intimidate them with law enforcement.
I mostly disagree with arguments to rationalize the sale of exploits, they create a massive power balance towards bad actors, but we have to be honest with ourselves, and like drugs, 0days are not going away.
Our only proper response is secure software development practices, employment of security reseachers, and adoption of security-centric practices in critical systems... such as the Linux kernel. Which is embarassingly not the case at the moment. For ex: http://unix.stackexchange.com/questions/59020/why-are-the-gr...
On your second point.... Governments should be assumed to be bad actors and they certainly have some of the deepest pockets. If an open market increases the price, it would seem to make it a better market for bad actors.
Especially if we think of small software companies or open-source projects (like OpenSSL) who cant afford to pay hundreds of thousands of dollars to secure their own exploit.
On your overall point... I think this issue of selling 0days is more a debate of ethics, and I don't think economics can solve a problem of ethics.
An open market increases the price of vulnerabilities
What's your logic behind this? I believe this to be false. To my knowledge the black market commands artificially high prices on illicit goods as a rule, except when the good is available on the open market. See:
1) The goods are stolen and need to be unloaded quickly.
2) Open market prices are artificially high thanks to things like taxes (example: alcohol, cigarettes)
The market concept is nice for the reasons you listed, but doesn't it add an incentive to introduce obfuscated exploits into code then sell an exploit to them later?
It amuses me to hear how middle-class people are baffled by the fetishization of criminality in hip-hop culture, when we fetishize the same type of assholes in our culture. Mitnick is a criminal and all the pro-hacking sympathies have been wasted on a very, very undeserving person. Funny how easily you can manipulate public opinion with the right PR and anti-government message. Everyone wants to be the rebel against "the system." Everyone seems to think they're the Ayn Rand hero amongst the idiots, when in reality, the rebels and the intellectually vain are easily co-opted politically. The rise of libertarianism in geekdom seems to fall under the same dynamic.
As far as I could ever tell, 90% of the sympathy for Mitnick was because of the excessive sentencing passed down by the government. It's less like hip hop idolizing gangsters and more like sympathy for Rodney King, who was drunk driving at 100 miles per hour and resisted arrest before he was beaten by the LAPD.
Mitnick served five years in prison—four and a half years pre-trial and
eight months in solitary confinement—because, according to Mitnick, law
enforcement officials convinced a judge that he had the ability to "start a
nuclear war by whistling into a pay phone", meaning that law enforcement
told the judge that he could somehow dial into the NORAD modem via a
payphone from prison and communicate with the modem by whistling to launch
nuclear missiles. He was released on January 21, 2000. During his
supervised release, which ended on January 21, 2003, he was initially
forbidden to use any communications technology other than a landline
telephone. [1]
He committed a series of crimes, and prison was appropriate. Solitary confinement, however, was not.
I was fooled into this when his first book was released, "The Art of Deception". I think I read the first three pages and heart sank because it wasn't a book about computer stuff really at all and I started thinking this guy is a fraud. but mostly I was fooled by marketing. (I was 12 at the time). I just remember being very let down by the book and not being a fan of Mitnik for that reason.
The comment section of this post has an underlying anger towards the hi-jacking of the word 'hacker' as it was and is applied to kevin mitnik and thus misunderstood by the public waaaaay too often.
Interesting, I had the exact same reaction as you. Bought the book (along with Michal Zalewski's Silence on the Wire), got less than a chapter in, and put it down in frustration. I've since wondered if I should go back and give it another chance. Sounds like no?
For what it's worth, I really enjoyed Zalewski's book. He seems like a really smart guy.
So you bought a book that's sold as "The world's most infamous hacker offers an insider's view of the low-tech threats to high-tech security"[0] and expected it to be about serious computer-based intrusion?
The first chapter (the one about random-number generator numbers and slot machines) was almost cool though (the rest was so-so, leaving that very impression you mentioned) -- read it in Russian, in translation, in a book store [and decided not to buy].
Is a criminal, or was a criminal? If you claim he is (in 2014) a criminal, is it because of his crimes pre-1995, or some crime he committed in the past year? If your answer is the former, then you are essentially saying "once a criminal, always a criminal." And if you claim that, I will throw some counterexamples in your face, beginning with myself.
Governments are almost always the market for zero-days. Private security companies also buy them, but guess who their primary market is? Look at FinFisher's customer list.
There is nothing libertarian about the defense industry or their actors. Unless you mistake neo-liberalism as libertarianism as far too many people do.
> Your pro-government rant doesn't fit in this case because the government is one of the customers in the zero day market.
(Legitimate) governments generally are the only legitimate users of 0-days. Governments can legitimately and legally hack into your computer; nobody else can. Governments can legitimately and legally shoot you, but generally nobody else can.
One definition of government is that they have a monopoly on violence.
(I say "generally" above because there are exceptions, of course.)
Maybe it's because I'm pretty much in the libertarian/anarchist spectrum, but I think that if what he's doing is legal, it's for the best that it's done openly.
The alternative to free markets isn't "no markets" or some flowery hippie ideal world. It's mafia and black/dark markets operating in complete or partial secrecy.
> Mitnick is a criminal and all the pro-hacking sympathies have been wasted on a very, very undeserving person.
Wow, he hacked into some corporation's computers, that's just so awful. Pacific Bell - a shady monopoly who is granted a monopoly by the government, and in return showers politicians with bribes, I mean donations, and sends our calls and web history off to the NSA for monitoring and permanent storage.
> in reality, the rebels and the intellectually vain are easily co-opted politically
In reality, he has been doing security consultations for corporations, so he has already been co-opted. "The service has offered to sell corporate and government clients high-end 'zero-day' exploits". That doesn't really smell of rebel. Of course, everyone has to grow up and make a living.
I can think of a number of IT companies that were founded in the past 20 years, sold for billions of dollars, or worth billions or even hundreds of billions of dollars, that were founded by ex-hackers, or at least people very associated with the hacker scene and whose first technical hires were ex-hackers. It's mentioned in the tech press, in interviews, in blogs etc. It's easy enough to look up if you want to. I mean, one of YC's founders is rtm, and he was around back in Viaweb days.
It's difficult for me to perceive of a modern working class kid interested in technology today, it seems he has more resources at his disposable (although not many - a dinky Vic 20 booted people right into a programming environment, whereas a kid with an iPad and iPhone today would find it very difficult to program his own device - it is pretty much that definition of an embedded system of a device that can't program itself). Back in the 1980's a working class kid with a Vic 20 and 300 baud modem could only call people locally, call local BBS's, and be stuck with poor computing power.
If he hacked and phreaked, he could call around the country, access teleconferences, call BBS's around the country, access powerful Unix, Vax/VMS etc. systems, access the Internet, access x.25 networks and x.25 chat networks in Europe etc. He could follow the law and accept his straitjacket of being designated by the Relations of Production to be one who works a menial job, and for the privilege of being allowed to work he can kick up his expropriated surplus labor work time to the idle class job creator heirs who own his company. Or he can bend the rules, see new vistas, and somewhere down the line maybe co-found a billion dollar company, or a hundred billion dollar company. Then he, or his apologists like you, can then go around complaining about the kids hacking into his company's computers.
"Mitnick became a symbol of government oppression in the late 1990s, when he spent four and a half years in prison and eight months in solitary confinement before his trial on hacking charges. The outcry generated a miniature industry in “Free Kevin” T-shirts and bumper stickers."
I wonder if money could be made selling 'Fuck Kevin' shirts and bumper stickers now.
You just need to put a "fuck Kevin" sticker right next to it. Like when weev was imprisoned: yeah he probably deserves to be in jail, but not for that particular "crime", and probably the abuse he got while in jail was also inappropriate.
"My clients may use them to monitor your activities? How do you like them apples, Chris?" -- Mitnick to ACLU technologist, last line of article
Wow what a first class dick. He's implying that he will be glad to sell zero days to the government to illegally monitor ACLU activities (e.g. free speech, etc.)?
Look at Mitnick's twitter feed. He clarified that the comment was just a "fuck you" in response to Chris you are a felon comment. Mitnick said he wasn't serious.
I've always thought it would be a just punishment for a neutral, but government arbitrated, third party to hold a highest bid auction for zero-day exploits, where the breached company has the opportunity to buy back their bad security at a market price. I feel as though making it public and legal would force larger targets to make better security decisions, instead of the current status quo of letting them off with tiny fines if anything at all.
Eh, just require all profits above $XX million to go to paying down the national debt. Its a government sponsored monopoly that he is suggesting, its reasonable to cap its profits.
Worse than a reseller. If you read his website, it turns out he's just a broker. He doesn't actually buy them from the researcher and then try to sell them. He just brokers a deal between the researcher and the buyer (if he can find one); taking an exorbitant fee in the process.
That's exactly what thegrugq does too. Tomorrow if I find an iOS bug that's exploitable I don't have a rolodex of contacts to sell it to hence the need for this service. As a middle man he can confirm the bug hasn't already been discovered and is generally trusted not to keep a copy himself and hack the planet with it after sale. This arrangement protects the seller too from revealing their exploit code to the buyer before payment. Anybody could create a Tor market for auctioned exploits but somebody has to verify the goods first or you get swamped with junk offers.
This is similar to patent trolls, no? Both don't produce anything worthwhile, buy from others and use it to intimidate others (except patent trolls do it themselves in the open, whereas he sells it to people who'll probably use it secretly)
It's also similar to patent trolls in that the people doing it breath oxygen and have skin.
In the case of patent trolls, they're leveraging asymmetries in the legal system and flaws in intellectual property laws to profit from non-meritorious lawsuits.
To the extent that a market in zero-day vulnerabilities is something you want to have (I'm not sure where I stand on this, exactly), a firm with a reputation to maintain does have a role to play. They sell the exploit to Mitnick, who has an idea of which ones he'll be able to sell, and the companies buying them are able to avoid the transaction costs and risks associated with buying and then testing potential zero-day vulnerabilities submitted by arbitrary hackers and counterparties. He's playing a valuable role by mitigating risk for both the companies he approaches and the random hackers. Consider also that it's hit-or-miss when you try to contact a company about zero-day vulnerabilities whether or not they are going to pay you, ignore you or, worse, sue you. Knowing Mitnick doesn't sue people who submit bugs to him, and presumably he has lawyers vetting this operation carefully, is a significant benefit for bug-finders.
Well, this is what happens when researchers are snubbed by software vendors.
I don't agree with the attitude and sale of vulnerabilities, but if someone approaches the vendor and get the responses "this is not a vulnerability" or "why are you hacking our software, we're calling the authorities" this is where it ends up...
For those wanting to criticize Mitnick's actions, what I gather from the following quote is that there is an existing "industry" around finding, and selling these exploits...
"Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between."
Can anyone shed light on these "researchers" and how they sell their exploits now? Or is this just a friendly way of saying "we pay hackers for exploits and then blackmail vendors"?
They generally don't blackmail the vendors. Someone paying $100,000 wants to get in someplace.
I can't say I like the money-for-exploits thing, but one good thing is that it's made most companies be very nice to people to want to voluntarily report bugs. Silver lining and all that.
Readit News
1) It would result in more vulnerabilities found
This is fairly axiomatic. An open market increases the price of vulnerabilities which in turn increases the number of vulnerabilities found (unless you want to argue the ability to find vulnerabilities is inelastic for some reason).
2) It would result in more vulnerabilities being disclosed to the proper authorities rather than malicious parties
This is more debatable, but since there should always be significantly more incentive on good actors to prevent the exploit (i.e. the software creators and/or community) than bad actors, the good actors should always win the bid. Indeed, one could argue that it is only the prevention of free negotiation in the sale of vulnerabilities is the reason an exploit is ever sold to bad actors (e.g. if I found a Windows vulnerability and told Microsoft $10m or else, I'm a criminal).
3) It would ultimately increase the quality of software
Given more vulnerabilities are found and more vulnerabilities would be disclosed to good actors, the quality of software increases.
I believe that 2) is essentially the Coase theorem (http://en.wikipedia.org/wiki/Coase_theorem), but I am only an arm-chair economist. Also, I'm not sure that what Mitnick is doing actually is a free and open market for vulnerabilities.
Imagine he had said: I believe a free and open market for weapons would be a good thing, because it would reduce the number of defenseless people, would result in a power imbalance that puts generally-okay actors at an advantage (say what you will, but the mob doesn't have 1% of the resources the US government does), and would therefore reduce crime.
I do not personally find that argument compelling (and it is of identical structure to the above), but me disagreeing with it does not mean it isn't of sufficient quality for Hacker News.
Perhaps restricting the analogy to nuclear weapons would make sense. Only nation states (software companies) and terrorists (malicious hackers... and perhaps intelligence agencies) would be interested in purchasing such weapons.
Replacing "vulnerabilities" with "firearms" while retaining the same argument structure does not mean that both arguments are logically identical (a false equivalency). The implications of a free market for information security and a free market for firearms are totally different.
You prompt a fascinating hypothetical: suppose all the world's atomic weapons were put up in a free, transparent auction? (i.e. bidders and bids are disclosed)
I'd argue that most would end up in the hands of good actors (e.g. the world bands behind the Dalai Lama to buy and destroy them all), but who knows? Good debate topic for happy hour, though.
[1] As a case in point, I showed the headline of the email for the bash vulnerability to a coworker today on the commute and he instantly described in accurate detail how it probably works. Not that this was a particularly difficult case, but I think the principle holds.
Wait a second...won't increasing the number of vulnerabilities found push prices down? If I'm looking to penetrate a system I only need to buy one vulnerability, so in effect different vulnerabilities are somewhat fungible and so should compete on price. Hence, if more vulnerabilities are being found and coming to market, prices should be going down.
On the other hand, with a free and open market for vulnerabilities there would likely be people who would NOT have bought vulnerabilities on the black market buying vulnerabilities on the safer, easier to use free and open market, so demand could go up, raising prices.
That's impossible to tell. You could just as easily say that the price will crash when you take away all the costs and risk of running a black market and give buyers a place to compare multiple "products." The demand side could just as easily be inelastic (or at least saturated) as the supply.
> the good actors should always win the bid
This works if you're talking about Microsoft, but not if you're talking about smaller companies or open source products. Maybe a Google or a Facebook would step up and pay off the market for things that they use, but "the rich people will take care of us" is not a setup that I'm comfortable with.
In the complaints about auctioning off vulnerabilities it's hard to avoid hearing companies bitching that they may have to pay security researchers, and it will be harder to intimidate them with law enforcement.
Our only proper response is secure software development practices, employment of security reseachers, and adoption of security-centric practices in critical systems... such as the Linux kernel. Which is embarassingly not the case at the moment. For ex: http://unix.stackexchange.com/questions/59020/why-are-the-gr...
Especially if we think of small software companies or open-source projects (like OpenSSL) who cant afford to pay hundreds of thousands of dollars to secure their own exploit.
On your overall point... I think this issue of selling 0days is more a debate of ethics, and I don't think economics can solve a problem of ethics.
What's your logic behind this? I believe this to be false. To my knowledge the black market commands artificially high prices on illicit goods as a rule, except when the good is available on the open market. See:
1) The goods are stolen and need to be unloaded quickly.
2) Open market prices are artificially high thanks to things like taxes (example: alcohol, cigarettes)
[1] http://en.wikipedia.org/wiki/Kevin_Mitnick
The comment section of this post has an underlying anger towards the hi-jacking of the word 'hacker' as it was and is applied to kevin mitnik and thus misunderstood by the public waaaaay too often.
For what it's worth, I really enjoyed Zalewski's book. He seems like a really smart guy.
[0] http://www.amazon.com/The-Art-Deception-Controlling-Security...
Calling them a criminal does not necessarily invoke [2]
[1] a person charged with and convicted of crime
[2] a person who commits crimes for a living
Lawyers have power, Doctors have power, Hackers have power.
There is nothing libertarian about the defense industry or their actors. Unless you mistake neo-liberalism as libertarianism as far too many people do.
(Legitimate) governments generally are the only legitimate users of 0-days. Governments can legitimately and legally hack into your computer; nobody else can. Governments can legitimately and legally shoot you, but generally nobody else can.
One definition of government is that they have a monopoly on violence.
(I say "generally" above because there are exceptions, of course.)
The alternative to free markets isn't "no markets" or some flowery hippie ideal world. It's mafia and black/dark markets operating in complete or partial secrecy.
The Finnish software house Reaktor recently invited Mr. Mitnick as a "keynote speaker" into their popular event for software developers:
http://reaktordevday.fi/2013/
To be honest, I didn't understand the relevance at all. The idolization seemed quite childish.
and
> The rise of libertarianism in geekdom seems to fall under the same dynamic.
I can agree to the first, the second can be simply attributed to an understanding of the first. It is unfortunate that you don't see the connection.
The corruption of traditional causes and activism is what leads people toward libertarianism.
Wow, he hacked into some corporation's computers, that's just so awful. Pacific Bell - a shady monopoly who is granted a monopoly by the government, and in return showers politicians with bribes, I mean donations, and sends our calls and web history off to the NSA for monitoring and permanent storage.
> in reality, the rebels and the intellectually vain are easily co-opted politically
In reality, he has been doing security consultations for corporations, so he has already been co-opted. "The service has offered to sell corporate and government clients high-end 'zero-day' exploits". That doesn't really smell of rebel. Of course, everyone has to grow up and make a living.
I can think of a number of IT companies that were founded in the past 20 years, sold for billions of dollars, or worth billions or even hundreds of billions of dollars, that were founded by ex-hackers, or at least people very associated with the hacker scene and whose first technical hires were ex-hackers. It's mentioned in the tech press, in interviews, in blogs etc. It's easy enough to look up if you want to. I mean, one of YC's founders is rtm, and he was around back in Viaweb days.
It's difficult for me to perceive of a modern working class kid interested in technology today, it seems he has more resources at his disposable (although not many - a dinky Vic 20 booted people right into a programming environment, whereas a kid with an iPad and iPhone today would find it very difficult to program his own device - it is pretty much that definition of an embedded system of a device that can't program itself). Back in the 1980's a working class kid with a Vic 20 and 300 baud modem could only call people locally, call local BBS's, and be stuck with poor computing power.
If he hacked and phreaked, he could call around the country, access teleconferences, call BBS's around the country, access powerful Unix, Vax/VMS etc. systems, access the Internet, access x.25 networks and x.25 chat networks in Europe etc. He could follow the law and accept his straitjacket of being designated by the Relations of Production to be one who works a menial job, and for the privilege of being allowed to work he can kick up his expropriated surplus labor work time to the idle class job creator heirs who own his company. Or he can bend the rules, see new vistas, and somewhere down the line maybe co-found a billion dollar company, or a hundred billion dollar company. Then he, or his apologists like you, can then go around complaining about the kids hacking into his company's computers.
I wonder if money could be made selling 'Fuck Kevin' shirts and bumper stickers now.
Incidentally, Fuck Kevin.
Wow what a first class dick. He's implying that he will be glad to sell zero days to the government to illegally monitor ACLU activities (e.g. free speech, etc.)?
Dead Comment
A glorified reseller and scumbag. Pathetic.
In the case of patent trolls, they're leveraging asymmetries in the legal system and flaws in intellectual property laws to profit from non-meritorious lawsuits.
To the extent that a market in zero-day vulnerabilities is something you want to have (I'm not sure where I stand on this, exactly), a firm with a reputation to maintain does have a role to play. They sell the exploit to Mitnick, who has an idea of which ones he'll be able to sell, and the companies buying them are able to avoid the transaction costs and risks associated with buying and then testing potential zero-day vulnerabilities submitted by arbitrary hackers and counterparties. He's playing a valuable role by mitigating risk for both the companies he approaches and the random hackers. Consider also that it's hit-or-miss when you try to contact a company about zero-day vulnerabilities whether or not they are going to pay you, ignore you or, worse, sue you. Knowing Mitnick doesn't sue people who submit bugs to him, and presumably he has lawyers vetting this operation carefully, is a significant benefit for bug-finders.
I don't agree with the attitude and sale of vulnerabilities, but if someone approaches the vendor and get the responses "this is not a vulnerability" or "why are you hacking our software, we're calling the authorities" this is where it ends up...
I don't know what to do about it, either.
About the best I can come up with is to support software that I feel makes the best effort they can to defend against exploits.
"Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between."
Can anyone shed light on these "researchers" and how they sell their exploits now? Or is this just a friendly way of saying "we pay hackers for exploits and then blackmail vendors"?
I can't say I like the money-for-exploits thing, but one good thing is that it's made most companies be very nice to people to want to voluntarily report bugs. Silver lining and all that.