We don’t entirely agree with Bruce Schneier’s emphasis on the subject of whether security vulnerabilities should be paid for or not.

In a recent weblog, he appears to take sides with Moshe Yudkowsky in his critique of a Red Herring article of a couple of months back that examined the issue of paying researchers for vulnerability information. Sagely, both men question its wisdom.

To quote Yudlowsky, as does Schneier.

“I think it's misleading to call this practice "outsourcing" of security, any more than calling the practice of tossing packages into the street a "delivery service." Paying someone to tell you about a bug may or may not be a good business practice, but that practice alone certainly does not constitute a complete security policy.”

One of the worries appears to be that by paying for this information, there is a risk that the value attached to it is bid up. If nobody is willing to meet the price then what is to stop a researcher from disclosing it irresponsibly? Worse still, by paying for it companies risk not doing their own groundwork.

These are valid points but they miss the central issue. There is nothing to stop a researcher from revealing a bug in an irresponsible way, period. In a world where nobody pays for vulnerability information that is even more likely, surely.

All the small number of companies that openly pay for critical vulnerabilities are doing (see our previous blogs on who is doing what) is skimming the surface of a dense pond. They would not claim to be solving the whole problem, and would certainly not claim this approach as an alternative to proper in-house bug research.

Schneier doesn’t entirely disagree with this viewpoint, judging from his comments. But it’s important to be realistic about the issue.

Long term, the industry will need a number of approaches to keep the problem of vulnerabilities under control, including (in some cases) writing a cheque. The fundamental question is why so many of them exist in the first place.