A new company is offering security researchers the chance to profit from discovering and coming up with innovative fixes for Security Vulnerabilities in products.
There web page (linked above) contains the following ominous paragraph:
We evaluate the vulnerability for the following criteria:
(a) Either the researcher or ourselves can suggest a method of fixing the vulnerability
(b) The fix is difficult to "design around"
(c) The fix can be protected by patents or other intellectual property.
(d) If the fix is adopted, it is easy for us to gain evidence that this has happened.
So, If I'm reading this right they are only interested in fixes that they can profit from? If a researcher discovers security hole and they can't patent a fix then they are not interested?
The next line is even more scary, How do they propose to gain evidence that a fix has been adopted? This suggests some sort of 'phone home' technology to report in to them that a particular machine has the fix installed.
Is it just me who can see several rather worrying aspects to this proposal?
1. It encourages the less ethical security researcher to profit from abusing a security hole if they believe or if they cannot make a profit from the fix
2. The phone home technology that's hinted about in clause D can be exploited - Lets say a security fix is removed by accident from a machine. That fix will then not be able to 'call home'. It its now possible for someone to review the database and see just what fixes are missing from machines rendering them vulnerable to a non-ethical employee!! This is totally unacceptable.