HT purchased these vulnerabilities with an understanding that they would not be made public and patched. Then they failed to safeguard them. Clearly these O-days, and conceivably all computer vulnerabilities, are not close to being as bad as smallpox, but what ethical obligations do actors (companies, governments, hackers, researchers) have to protect vulnerabilities which they plan to not protect the public again?
Say you discover a very powerful attack on AES which allows you under many circumstances to recover the key:
1. do you have an ethical obligation to warn affected parties?
2. If you don't and instead secretly sell this decryption capability to governments and/or private actors, do you have an obligation to ensure that this capability isn't used illegally or unethically?
3. What due diligence is required to protect a vulnerability of this scale?
I do not disagree. In fact, I personally have a problem with all non-vendor vulnerability sales, for the same reason.
I just think we should be clear that exploit developers, brokers, and users don't actually create vulnerabilities; software companies do.
I also think people should give Adobe a little bit of a break --- not much of one, but a little. Adobe got monstrously successful off a codebase that largely predates the concept of software security. It's a nightmare problem for them, and they are working on it. They should work harder.
15 years ago a pretty sizable chunk of the industry thought heap overflows weren't exploitable for code execution, so I don't think that's the right interval.
Why don't you 100% blame the people at fault: Adobe / the original developers.
First, they were incompetent enough to not correctly develop their software.
Second, non-assholes would have a standing price-match policy for bugs. Adobe should give you 110% of the highest bid you get for any 0-day. They could have fixed these a long time ago if they'd paid the discoverer $45k (or $150k -- times three for exclusivity.) These companies are effectively outsourcing security testing and remediation of their software, then whinging that independent developers don't work for free.
> Why don't you 100% blame the people at fault: Adobe / the original developers.
I agree Adobe is at fault for producing insecure software.
Blame is not a limited resource, there is always extra blame to go around. If I am driving recklessly and my brakes fail due to a manufacturing error, both I and the car company are at fault for the accident. One can always, as HT has done, make a bad situation worse but behaving in a reckless and unethical matter.
>Adobe should give you 110% of the highest bid you get for any 0-day.
Bug bounties are sensible, but price-matching seems too easy to game. How can the company know a bid is serious, and not just fake to be matched? "Oh, sure, so-and-so offered $200k for this bug."
(For that matter, while reputation is certainly a thing, what stops a security researcher from selling the same 0-day to several different buyers, and then selling it to the company to fix? Do the typical contracts to sell 0-days involve continued payment based on the amount of time the bug remains unfixed?)
I'd care a lot more if Adobe, et al, weren't repeatedly screwing up. A couple million dollar bounties and forcing them to pay to internalize their negative externalities will help create the proper internal focus on shipping secure software. Reputation doesn't show up as a line-item.
And if a security dev resells, who cares? The company still got the 0-day and still gets it fixed asap. It's far better than our current situation where these can persist for years.
> what stops a security researcher from selling the same 0-day to several different buyers, and then selling it to the company to fix?
People willing to pay 5 or 6-digit sums for a zero-day are likely... not nice. One wouldn't double-cross them willy-nilly. Multiple-sale to multiple third-parties scenarios are likely happening every day, but selling to developers could be considered an act of sabotage against all buyers, so there is no incentive really.
How about an escrow contract using a third party and bitcoin? You could call it silk road 3 Its really not that hard to be taken for a ride if you have the resource adobe does.
If you know a company is legally obligated to pay up to $x, and that they have $x, you can offer to pay $x/1.1 in collusion/partnership with the bug-seller, for a share of the proceeds. You can outlaw the collusion, but setting up this kind of mechanic seems like a bad idea.
Say you discover a very powerful attack on AES which allows you under many circumstances to recover the key:
1. do you have an ethical obligation to warn affected parties?
2. If you don't and instead secretly sell this decryption capability to governments and/or private actors, do you have an obligation to ensure that this capability isn't used illegally or unethically?
3. What due diligence is required to protect a vulnerability of this scale?