Full Disclosure and the Free Market

The argument of responsible disclosure versus full disclosure in the security vulnerability research field is a wide open debate. Does the researcher who finds a vulnerability that allows someone to attack an information system notify the software vendor, do they make the exploit public, or do they sell the finding to the highest bidder?

Looking at this question from a free market perspective which the companies involved use, they’re goal is indeed financial gain, brings some interesting insights. Say a researcher spends 100 hours finding a vulnerability in a software product and let’s say they value there time at $50 per hour. They have $5,000 invested in this research.

The software vendor in most cases will not sell less or more software due these vulnerabilities being found (look at Microsoft, Adobe, Sun, Redhat, etc). Fixing these issues will cost them a significant amount of money, while not fixing the issue will not cost them any money. As a result, the software company is motivated to not pay the researcher, if they don’t pay them, and then the hope is the researcher will exit the market so no more exploits are found.

The person wanting to use the exploit to steal data, commit espionage, or extortion of a target is motivated to pay for the research to research this information. It makes their activities possible and is a key component to their work. A value is assigned to the vulnerability due to the ability of the tool to generate revenue for that person, which is paid to the researcher. A security vendor is falls in this same category, but is motivated by selling a product that will defend from the vulnerability. Their motivation is the same as the attacker.

The victim company targeted doesn’t have the skills or knowledge to handle defending from raw repots of vulnerabilities, so their most cost effective approach is to use the security vendor’s product. As a result of this economic relationship, why would the researcher want to lose their $5,000 investment? Why would we expect them to give it away for free? Do we ask the doctor to work for free? Do we work for free?