Stephen Withers
Monday, 23 March 2009 11:04
Opinion and Analysis
Page 3 of 5
Trouble is, bug fixes are prioritised. If it isn't obvious that there are security implications and the bug is only occur in unusual circumstances, it may be put on the back burner - at least until the bad guys spot the problem and work out how to exploit it.
If security vulnerabilities are your thing, you may not be content with merely spotting a bug - you look deeper to find out whether there's a way it can be exploited.
And if someone goes to a vendor with a bug report backed by an exploit (whether it's just a proof-of-concept or a fully working example), the company is saved a lot of effort as far as determining the seriousness of the issue is concerned. There has to be some value there.
That said, Miller did assert that he wouldn't have bothered working on an exploit without the incentive of the PWN2OWN prizes.
Let's not forget that there is a black market for new exploits. Ultimately, that's funded by the millions of people and organisations around the world that fall victim to the resulting malware and the scams associated with it.
It is reasonable to expect people to do the right thing and not sell their exploits to the underworld. After all, we expect that our fellow citizens will not burgle our homes or steal our cars. Most don't, but a few do.
Even so, Miller has come in for some serious criticism. But is the pot calling the kettle black? Please
read on.
