Vulnerability Markets: Under a Cloud
After some great conversation with Ryan Russell in the comments to “Economics of Vulnerabilities: Markets,” I saw Pascal Meunier’s “Reporting Vulnerabilities is for the Brave:”
So, as a stubborn idealist I clashed with the detective by refusing to identify the student who had originally found the problem. I knew the student enough to vouch for him, and I knew that the vulnerability we found could not have been the one that was exploited. I was quickly threatened with the possibility of court orders, and the number of felony counts in the incident was brandished as justification for revealing the name of the student. My superiors also requested that I cooperate with the detective. Was this worth losing my job? Was this worth the hassle of responding to court orders, subpoenas, and possibly having my computers (work and personal) seized?
(Trading floor image from Texas A&M.)