http://blogs.zdnet.com/security/?p=2941


interesting take don't yah think?

It's definitely a fine line. 

While the assumed "right / moral" thing to do is report the bug to Apple (or whatever vendor) and get it fixed, there are a growing number of security-related sites and companies who will readily pay for this type of information disclosure, and companies like Apple really need to consider whether they want the information released to those companies, first, before they have a chance to fix them.  Ethics would say the author of the post should just give the exploit info to Apple, but all things considered, one can easily see why a person might just submit it to someone else, who's readily willing to pay for it.  After all, as the post says, "Apple pays people to do the same job so we know there’s value to this work."  So if they can pay people to do it, why can't they shell out a bit for an outsider, who found something that, perhaps, their paid help did not?

I personally wouldn't charge for a finding, unless I was being contracted / paid to look.  If I found something, otherwise, because I felt like digging around - well, that was my choice / my time, and I wouldn't expect someone to pay me for my own fun and excitement.  I'd have to agree with NickFnord, in that, if I went looking, and then asked them for pay for finding their bugs, I'd feel like it was 'extortion.'

It's a rough world we live in...  and definitely a touchy subject to many.

I'm with timmedin on this one.  Look at MS08-67 as a great example.  While this case is extreme, there clearly is a financial motive in it.  I think vendors have to look at their actual costs and figure out what it's worth to them to find out about this kind of thing before it's released into the wild.  For that matter, I think they need to look at competing with the black market prices.  MS can afford it.  Every time someone uses a zero day (and its later found out) their image suffers. 

A vendor can prevent an exploiter from selling their discoveries to the black market simply by being the highest bidder.  Right now all you get is a pat on the back (or scornful remarks) and if you're lucky a chance to speak at one of the many security conferences about your discovery.  Vendors: its time to pony up the dough.