Announcement

**TheCotMan** · April 17, 2009, 13:47

Re: Selling exploits

I think legal actions leading to fees from a lawyer could cost him more than he makes.

Lawyers for the businesses with the faulty code may argue that extortion would exist to force them to pay him money to prevent a dirty secret from being made public, which would cost them profits and resources once it was announced.

**bascule** · April 17, 2009, 13:51

Re: Selling exploits

If you didn't see them in the linked article, here's his arguments:

Originally posted by [url=http://blog.trailofbits.com/2009/03/22/no-more-free-bugs/]No More Free Bugs[/url]

Vulnerabilities place users and customers at risk. Otherwise, vendors wouldn’t bother to fix them. Internet malware and worms spread via security vulnerabilities and place home users’ and enterprises’ sensitive data at risk.
Vulnerabilities have legitimate value. Software vendors pay their own employees and consultants to find them and help them fix them in their products during development. Third-party companies such as Verisign (iDefense) and ZDI will pay researchers for exclusive rights to the vulnerability so that they may responsibly disclose it to the vendor but also share advance information about it to their customers (Verisign/iDefense) or build detection for it into their product (ZDI). Google is even offering a cash bounty for the best security vulnerability in Native Client. Donald Knuth personally pays for bugs found in his software and Dan Bernstein paid $1000 personally as a bounty for a vulnerability in djbdns.
Reporting vulnerabilities can be legally and professionally risky. When a researcher discloses the vulnerability to the vendor, there is no “whistle blower” protection and independent security researchers may be unable to legally defend themselves. You may get threatened, sued, or even thrown in jail. A number of security researchers have had their employers pressured by vendors to whom they were responsibly disclosing security vulnerabilities. Vendors expect security researchers to follow responsible disclosure guidelines when they volunteer vulnerabilities, but they are under no such pressure to follow responsible guidelines in their actions towards security researchers. Where are the vendors’ security research amnesty agreements?
It is unfair to paying customers. Professional bug hunting is a specialized and expensive business. Software vendors that “freeload” on the security research community place their customers at risk by not putting forth resources to discover vulnerabilities in and fix their products.

**TheCotMan** · April 17, 2009, 14:03

Re: Selling exploits

Originally posted by bascule View Post

If you didn't see them in the linked article, here's his arguments:

I don't see a legal defense in that quoted text.

I see attempts at explanation, and requests for excuse, but by stating these in a case, there is admission of having created the exploit, and offering it for sale, showing intent to create a tools that (arguably) has the only purpose to expose a weakness in something and break it.

Choosing to sell it instead of give it away provides an argument for the prosecution/plaintiff to explain that there was no genuine intent by the defendant to act in good-faith to help consumers of the product.

To avoid the extortion elements, the vulnerability could be announced to the public, even under a pseudonym.

What I would be looking for would be this:
"What legal, 'get out of jail free,' card exists for extortion?"

Announcement

Selling exploits

Selling exploits

Comment

Comment

Comment