No More Free Bugs?

Charlie Miller (famed in part for his past successes at the CanSecWest pwn2own contests over the last couple of years) has started an email thread over on the DailyDave mailing list regarding the No More Free Bugs initiative. The rationale behind this initiative can be found over here:

http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/

Whilst I have every admiration for the past work of people involved with NMFB such as Miller, Alex Sotirov and Dino Dai Zavi, I can't help feeling that this initiative is either doomed, misguided or both. I can understand why security researchers may feel that they get a rough deal through a lack of financial recompense for the time, effort and frustration they go through when finding and exploiting a vulnerability and then managing a responsible co-ordinated disclosure with vendors. However, there is no real commercial incentive for vendors to want to pay for this service – sure customers may end up with a more secure product due to the work of security researchers but at the same time, customers may not have been aware that they had an insecure product without the work of the security researchers (a much better position for the vendors, if not the customers!).

The NMFB guys are keen to avoid being dragged into a debate about disclosure but I'm not sure how you can avoid the topic when talking about paid-for security research. For example, I really don't see the benefit that vendors would gain from paying for bugs and then advertising the details of the vulnerabilities via full disclosure. Maybe I'm just cynical but I can't avoid believing that such paid-for bugs may be fixed on the quiet with paying customers never finding out about the risks that they had been exposed to... unless a few guys are still happy to publish details of reverse engineered patches for free. There's also a pretty vicious circle out there – if bugs are no longer disclosed, end users will stop worrying about them and any commercial drivers that do exist will start to wither away reducing the value placed on discovered bugs.

It's an imperfect world out there, and the current situation with respect to the handling of security vulnerabilities is certainly far from perfect, but I'm afraid that I don't believe that moving to a paid-for approach to security research will improve matters in the long run.