Christopher Soghoian American Civil Liberties Union
download slides (PDF)
During the past year, the public has learned a few bits and pieces about the trade in security exploits. Sold directly to customers, but often through middlemen, this industry marks a transition away from bug bounties and compensated responsible disclosure through firms like ZDI and TippingPoint. Rather than a researcher making some money and helping to secure the Internet, exploits are now sold to parties, often governments, who are buying them for lawful interception, espionage and cyberwar. While some researchers used to complain about 'no more free bugs', some now make enough on a single sale to buy a house. The money is clearly better, but the ethics are far less clear.
What should be done, if anything, about this part of the security industry? Are researchers who sell exploits simply engaging in legitimate free speech that should be protected? Or, are they engaging in the sale of digital arms in a global market that should be regulated?