cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advocate I

Paying for new zero day vulnerabilities and selling them

Given the news item about yet another platform being launched to source new zero day vulnerabilities for sale, is this an ethical sustainable method of getting security researchers and even the dark side to make a profit?

 

https://www.zdnet.com/article/crowdfense-launches-platform-to-source-new-zero-day-vulnerabilities-fo...

 

I know there are several sides to this, but is it an ethical means to making a profit out others misery?

 

Or is this a sensible means of obtaining these new vulnerabilities?

 

What do others think?  Are there different perspectives to this?

 

Regards

 

Caute_cautim

 

3 Replies
Contributor II

Re: Paying for new zero day vulnerabilities and selling them

No doubt it would seem unethical, but the sad fact is that for good ethics / morality to be applicable, they should be followed by everyone at all levels.

 

When it comes to finding out and exposing vulnerabilities in systems, people would want to know what impact it may have on them, often with the question 'What's in it for me?'

 

Vaguely related to this is something I experienced many years ago...

 

My family was based in our home country, save my Dad who was working abroad. During one of his visits, he happened to spot a burglar attempting to break into someone's house, and alerted the cops. The person was apprehended --- and we assumed that was the end of it. More than a month later, we visited my Dad abroad. After we returned, there was a notice on the front door --- stating that because my Dad failed to appear for the hearing as a witness, we were liable to be penalized!  Man Frustrated

 

(Consequently, if I spot something like this now, I'm very likely to pretend I didn't see it)

 

Since performing a moral action can have unwanted consequences, such things are often incentivised --- else people may prefer not to take the trouble or to keep quiet about what they know...

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Advocate I

Re: Paying for new zero day vulnerabilities and selling them


@Shannon wrote:

 

(Consequently, if I spot something like this now, I'm very likely to pretend I didn't see it)

 


I understand your point of view, but also consider the case of Kitty Genovese,

more info here : https://en.wikipedia.org/wiki/Murder_of_Kitty_Genovese

Basically she was attacked and killed while a disputed number of witnesses heard the attack and did nothing to aid her. Even though the number of witnesses, originally published as 37 or 38) is disputed the fact remains you can't let that one bad event change who you are. If that doesn't convince you to act consider what happened to me 3 weeks ago.

 

I recently experienced a near death experience. I was working on my daughters truck changing the front shocks. To make it go faster I took off both front wheels after I had jacked up the vehicle and supported it on jack stands. The shocks were the wrong ones so I sent her to the parts store to get some new ones. I had some other work to do underneath the truck and in a split second of complacency went to work underneath the truck without putting the wheels back on. Well one of the jack stands failed, which cause the other to fall over. The truck came crashing down on me, quickly crushing me and forcing the breath out of me, In less than 6 seconds I passed into unconsciousness. I didn't even have time to be scared and I couldn't scream for help because I was being crushed. Luckily for me my neighbor was having a get together in his yard. A row of trees prevented them from seeing what was going on, but one of the guys heard the truck fall and decided to check it out. He came over and started hollering for the guys to come and bring a jack. I heard none of this. I awoke when they pushed a jack under the truck and it hit me in the face. I remember coming to and seeing them start jacking, but then letting it down so they could get a better jack point. Then they jacked it up enough where I could crawl out. I suffered some cracked ribs, a bruised heart and some serious chest bruising. In my mind I only blacked out for a few seconds. I found out later it was anywhere from 5-10 minutes, I also found out that the group of guys had started lifting the truck by hand until they could get a jack over there. While I was pinned under the truck I remember several bouts of waking up but no clear idea of what had happened or how bad the situation was. I think this was the result of the guys holding up the truck just enough where I could start breathing again. Had that guy waited or hesitated or talked himself out of coming to check on me, my wife would have come out later or my daughter would have gotten back and found their spouse/father dead or extremely brain damaged. By the time my wife got outside they had gotten me out so she or my other kids didn't have to see me pinned under the truck.

 

I am extremely lucky to be alive and I am extremely grateful for the action of that one person that triggered the group to act. They could have decided not to act. They could have decided that they might get sued or might hurt me trying to get me out so they would just call the paramedics/fire/police and let them try to get me out. I would have been dead or brain dead by the time help would have gotten there.

 

You cannot let the results of one event stop you from doing what is right.

Contributor II

Re: Paying for new zero day vulnerabilities and selling them

@CISOScott, there's no arguing with what you said there. With exposing application or system vulnerabilities, though, inclination can be affected by a multitude of factors & hence the need for an incentive, which is what I was trying to get at.

 

Unfortunately I wasn't able to provide a good example. (Okay, that's putting it mildly)

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz