Many people wanted, many times without success, criminalize any researcher investing time in bug hunting, specially in security related applications.
In many societies, this is a TABU, some people think that found a vulnerability and develop a proof of concept, is the equivalent of making a weapon. They argue that such exploits could be used to carry attacks, at the end of day, that could affect the property and life.
Lets do the following exercise together:
Figure out that the laws criminalize anyone who find a vulnerability. Therefore, the script kiddies won’t have access to a big vulnerability database, and then, the impact will be reduced.
But how long this would last?
First at all, We should understand that internet is a free and boderless space belonging to more than 190 countries around the world. Every country must agree that this is crime at the same level, having cooperation between.
Currently, many exploit-writers publish their work in information security conferences, online forums, and freely notify the companies in order to get a fix. However, someone that does not have the “ethical” interest, could earn dozen or hundred of thousand dollars for every vulnerability. He could sell it once or multiple times in the black market:
- Governments: The governments have already established how much does cost a vulnerability (given the technology). However, when we talk about gov, we are talking about any government around the world (more than 190 country governments, plus dependencies, plus coorporation governments, etc).
- Computer Hackers: Any other non-skilled or short of time computer hacker could be interested in the vulnerability. They usually bought such vulnerabilities in order to carry mass attacks, resell it, and take a lot of money for every invested cent. The black market could pay 5-6 times more than a government.
- Terrorists: Even the terrorists wants to have vulnerabilities, they could use that to achieve their plots.
- Developers and Companies: There are a few companies that are responsible enough to participate in the debugging process and pay to the researchers in order to improve quality. This reward programs may not pay the real value of this researchers (who are valuated in more than 160K usd per year). However, this helps the developer to be ethical and the company to be responsible.
The law could try to implement a prohibition to avoid finding vulnerabilities in computer programs or systems, however, vulnerability finding activity could happen anyway. If someone is disposed to pay, someone is disposed to provide.
This is were the reader thinks: “then, we will enforce the law”. And this is when I recommend to read who is the first buyer in the black market. And… If the government is the first buyer, and the government is the one who manage and deliver law, how could you be thinking that they will be enforcing this?
The censorship will drive us into a more exposed software. The vulnerabilities wont be public available, and therefore, the companies involved in software development won’t have any further motivation to fix the vulnerabilities. Such companies will be using the legal resources to avoid the vulnerabilities, because, “there is no vulnerability if nobody could see it” which is false.
Just let’s do the following comparison: your doctor notifies you that you have cancer, however, you will sue him because then you will be spending a lot of money in very expensive medication and more doctors. “The cancer is not there if nobody see it”. In addition, you will be doing lobby to try to penalize doctors who give cancer diagnose.
Finally, based on this schema, the price of an average vulnerability will increase because it will deliver more power to the final owners, and later, the involved actors will change the course and they will be paying developers to introduce pseudo-non-voluntary bugs inside the source code. This is cheapest than paying for a researcher.