Shostack + Friends Blog Archive


Vulnerability Markets: Under a Cloud

trading-floor.jpgAfter some great conversation with Ryan Russell in the comments to “Economics of Vulnerabilities: Markets,” I saw Pascal Meunier’s “Reporting Vulnerabilities is for the Brave:”

So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?

(Trading floor image from Texas A&M.)

2 comments on "Vulnerability Markets: Under a Cloud"

  • beri.gilfix says:

    thank you for Mr. Meunier’s article. It had never occured to me that being a compter “good samaritan” and helping to identify a problem could lead to such consequences.
    what a strange world we live in.

  • While enjoyable, be advised that wandering around and suggesting to people that their system isn’t nearly as robust as they think has historically caused a fair number of problems for the avid enthusiast. Side effects may include hemlock cocktails or being nailed to a tree.

Comments are closed.