Editorial: Swimming with sharks

Opinion by Paul Fisher, Editor of SC Magazine

Is it acceptable to use software vulnerability for commercial gain?

Is it acceptable to use software vulnerability for commercial gain?

Parts of the information security industry have been operating on the basis that sharing information with others, even competitors, is for the common good, the advancement of the industry and the protection of its customers.

In the open-source/Linux world, this sharing has indeed been beneficial and has helped to create a viable alternative to Windows. There has been a semi-crusading zeal behind the open-source revolution - many of its adherents view it as an essential bulwark against the perceived global monopoly of Microsoft. The revenge of the nerds. Of course, this hasn't stopped entrepreneurs becoming rich: RedHat, one of the leading Linux distributors, is now a $135 million (£69 million) business.

According to reports in The Guardian, the spirit of openness in the information security industry is starting to break down. A number of vendors are doing deals with so-called security researchers hawking newly discovered vulnerabilities. This allows them to provide their customers with exclusive protection - thus gaining significant advantage. Some people don't like this.

Paul Henry, vice-president of technology at Secure Computing told The Guardian that the security industry was becoming a protection racket. "The tradition has always been for vendors to share information on vulnerabilities so we can all protect our customers," he said. "Now you've got hackers being given a so-called legitimate route of selling vulnerabilities to a single company who then protect their own."

The same article had other spokespeople from leading security companies expressing horror and outrage at the practice.

On the other side of the argument, the companies that employ the services of security researchers believe they have a duty to give their customers the best-possible service. If that means getting hold of vulnerabilities ahead of their competitors then so be it - by any means.

Perhaps this new trend is a sign of tougher market conditions beginning to take effect. Security businesses that find themselves chasing customers with reduced IT and security budgets are going to behave differently when times turn harder. The faster, more aggressive players will not hesitate to tear up a rule book that doesn't really exist in the first place.

Business morals tend to loosen and indignation disappears quickly once market share declines or a hostile takeover looms. Unless some kind of international law or enforceable code of practice intervenes (unlikely), the chances are that this controversial practice will become widespread. In this case, the real winners may be those that already do it and those that currently decline to express an opinion.

The losers may be those making a very public fuss. Morality is a fine thing - but it can sometimes get in the way of business. The problem is that if you publicly espouse your morality then you better make damn sure you stick to it.



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events