There's been considerable discussion this weekend of the recent sale of SecurityFocus to mega-corporation Symantec for a sweet $75 million. At issue in particular is SF's BugTraq mailing list, which has for years been the most popular full-disclosure vulnerability list going.
While Symantec has stated that it will not exert influence on BugTraq, which it now owns, many list members find that assurance hard to trust. However, in this case only time will tell. I personally have little doubt that the SF staff intend to keep BugTraq and its extensive archives independent and free. Whether they'll succeed in the long run is an entirely different matter.
The deal has generated further controversy because SF has sold something quite valuable which it received free of charge, namely the exploits submitted by list members. These are valuable for developing scanning software like Snort, Nessus, and the like. And naturally, when this much cash changes hands, people may get envious. They may also feel they're owed something for the free contributions they've voluntarily made.
Coincident with the Symantec announcement, a new list opened up to address the anticipated fall of BugTraq. It's actually called Full Disclosure and is unmoderated, meaning that within hours it began degenerating into a forum for the 'full disclosure' of members' opinions.
Among these are a comment from Charles Stevenson bringing the security 'community' to task for "supporting the exploitation and misuse of proprietary exploit source code to further the large companies' for-profit endeavours."
There was also a suggestion from Jay Dyson that exploit code submissions and vulnerability advisories be licensed in some way to prevent their use by profiteers.
At this point I have to say that The Register and SecurityFocus have a longstanding business relationship involving content sharing. And I may as well add that SF Editorial Director Kevin Poulsen is a close friend of mine; and that I happen to like and respect co-founder Elias Levy, though I'm not closely acquainted with him. Now back to my completely unbiased article.
It does seem odd that contributors to BugTraq should expect consideration after making free submissions to it with no expectation of reward. So far as I know no one at SF ever asked them to perform the work which their submissions represent, or ever promised them anything in return. The idea behind BugTraq has always been to make the information available to anyone who can use it. And so long as it remains freely available, there shouldn't be a problem.
As we saw at H2K2, some people believe that a large fraction of posts to BugTraq have more to do with resume padding than the free exchange of ideas and selfless sharing of research for the improvement of everyone's security. (I happen to agree with this observation.) According to the theory, people send in exploit code they've spent days or weeks perfecting in quest of the publicity needed to find fabulous jobs or to start up their own security firms.
But now people are concerned that BugTraq won't continue to function as it has in service of these ambitions. And if these fears should be justified over time, other public outlets for cleverness exhibition will have to be devised and other forms of compensation sought. Thus the idea of cashing in on the code is circulating.
Of course that would cause problems for developers of free and open-source products. Perhaps a EULA could be useful here, stipulating that the code is royalty-free to GPL'd open-source apps and share/freeware, and imposing a royalty on its use in proprietary, for-profit products. Or perhaps not. Personally, I don't see any way something of that sort can be enforced. If a big company steals your idea, they can all too easily claim that their vast team of researchers hit on the same item coincidentally (this often happens for real, as the publication of new discoveries will set many different people thinking along similar lines).
The questions surrounding vulnerability disclosure are endless and probably insoluble. Even the very fact of disclosure is controversial: many believe that the announcements give malicious hackers an unfair advantage; many others (like me) believe that withholding the information leaves users at increased risk on the theory that forewarned is forearmed.
And the timing of announcements is still in dispute. How long is 'long enough' for a vendor to patch an issue before the details are released publicly? I'm in favor of full disclosure, yet I was appalled when ISS recently gave Apache less than 24 hours to deal with a significant vulnerability.
And now we have the issue of what a researcher is owed for work freely offered. Publicity used to be enough; but now that people have begun worrying about the future independence of BugTraq, it may not be enough for long. As one observer remarked, there's a difference between contributing to SecurityFocus, and working for Symantec.
At this point I have to appeal to the wisdom of The Reg's beloved readers. Does the act of making a free contribution to a public, full-disclosure list imply that the material is up for grabs? Aren't restrictions on further use a contradiction of everything 'full disclosure' represents? Should contributors to open forums expect consideration when someone else profits from their work? Should they have the right to deny use of their contribution by for-profit concerns who refuse to pay? Should open-source developers be given freedom to use the data, while commercial developers are expected to kick back a royalty? Is there any hope of enforcing or defending a patent, copyright or EULA on such submissions? Is there any practice or standard that won't make network and software security an even more gargantuan mess than it already is?
I honestly don't know. ®