I dont mean to do a pretentious open letter, think of this as more of a writing style than an actual letter.
I was trying to understand your comments from the opening greetz at shmoocon this year.
As I understand it, you’re saying that we need more public zero days to secure people. That caused me some cognitive dissonance, so I tried to spend some time thinking this through so I could understand your point better. Let me know if I’m misrepresenting you.
I found your defcon 15 slides where you seem to talk about this a bit. (my paraphrase)
’full disclosure is dead’ Whether you believe in “responsible” disclosure or not, the people in the bug bounty programs believe in it, so the choice is really get paid or not. As a side effect people aren’t dropping oh-days all over conferences, which sucks as a conference organizer.
In your slides, you said “[the people selling bugs] are profiting at the expense of the end user.” How is that?
I’m guessing it is because many software companies patch very very slowly except when there media pressure due to public exploitation. That leaves a hole in which private exploitation can take place if the bad guys also found the vulnerability.
Lets not forget that dropping a zero day starts the clock early. The bad guys are exploiting while the good guys at best have a workaround. I have a hard time seeing that a good thing. I’m guessing your answer would be at least then you know about the vulnerability
As a guy doing the vulnerability management program at my company, I like the predictability of patch Tuesday. I’ve got plenty of other things to deploy. Those unexpected patches really foul things up.
Full/Responsible Disclosure approaches a religious debate with some people. I dont mean to mean to do that.