Thanks should be given to those people who disclose vulnerabilities, not jail time.
Speaking to IT Security Guru, security researcher Joe Grand, who was in the Boston hacker space L0pht as member Kingpin, said that the people who publicly release research should be thanked and treated as beneficial to the community, instead of putting them in jail.
The L0pht was known for finding vulnerabilities in software and reporting them to the affected companies. Grand said: “Once we realised we could educate the community, the vendors said that even though they don’t like hearing that they have a vulnerability they can educate people and that is how the whole full disclosure thing started.
“We weren’t the only group, but we were one of the first to push vendors to acknowledge the problems and we would go public with them. We helped pave the path for the bug bounty programs and the people that wrote them were involved with the L0pht or associated with the hacker community back then and can shake these companies and say ‘we need to reward these people who are helping us for free’.”
Grand said that the people who sell zero-days on the black market whom you don’t know are the guys you’ve got to worry about. “But on the other hand you still see countries, organisations and Governments who go after someone who goes public with a vulnerability which really hampers things, and can put the researchers on edge because they may be afraid to release something or work with a vendor as they are scared of getting sued.”
Fellow L0pht member Christian Rioux, who was known as Dildog, said that the process of reporting bugs in its time was that you could threaten to release it, and a vendor would say ‘you’d better not release it or we will get you’.
Grand said: “Everyone needs to get on the same page and give researchers the thanks that they deserve, and hopefully everyone can work together to make the products good enough where there are fewer zero-days sold on the black market and less nefarious things going on, because people are not going public with these things, they are not getting thanked and it being worth their while.”
