Keynote address: The trade in security exploits: free speech or weapons in need of regulation

Christopher Soghoian American Civil Liberties Union

  download slides (PDF)

During the past year, the public has learned a few bits and pieces about the trade in security exploits. Sold directly to customers, but often through middlemen, this industry marks a transition away from bug bounties and compensated responsible disclosure through firms like ZDI and TippingPoint. Rather than a researcher making some money and helping to secure the Internet, exploits are now sold to parties, often governments, who are buying them for lawful interception, espionage and cyberwar. While some researchers used to complain about 'no more free bugs', some now make enough on a single sale to buy a house. The money is clearly better, but the ethics are far less clear.

What should be done, if anything, about this part of the security industry? Are researchers who sell exploits simply engaging in legitimate free speech that should be protected? Or, are they engaging in the sale of digital arms in a global market that should be regulated?


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.