So Google, PinkiePie, and VUPEN walk into a bar....
VUPEN turns to Google and says "U MAD BRO?"
Google *snickers* and says "Nope."
PinkiePie eats a yogurt (because he isn't old enough to drink yet) and wonders what's the big deal?
Punchline: An unseen person with a nice suite walks out with your data.
Haha! Funny, right?
I remember well when Dino A. Dai Zovi explained the No More Free Bugs philosophy and I agreed entirely with the premise. There were of course outlier situations which Dino himself would certainly pause to consider. However, there really was no reason not to support the general position - the No More Free Bugs effort.
It really has changed the landscape by which security research is done and consumed by end-users and vendors alike. Prior to No More Free Bugs you had one monetized "market" for such research - the black market - otherwise there really wasn't a legitimate outlet.
Since then a new player has entered the fray, Government, and I'm not entirely sure I like where this is going. It has most recently been highlighted, without ever saying "Government", by the Google - TippingPoint - VUPEN dynamic around Pwn2Own and Pwnium.
TippingPoint (and VUPEN) put down that six-figure rewards aren't enough for the rarest security bugs. Google presented their argument and played at a trap. PinkiePie didn't seem to get involved in controversy and just did good work (awesome).
Originally, in No More Free Bugs, a major premise was that this work was hard and cost money. "They", the vendors, are getting the work for free when it would otherwise cost them monies in staff, training, break-fix, etc. OK, that's fine - and there was even a slight interlude about No More Free Bugs not quite being the same for FOSS projects (except Chromium because, apparently, Google should be punished for that FOSS contribution). Alright (snark aside) still mostly fine.
However, when did six figures become reasonable for a bug? Well, it became precisely reasonable because there is one legal customer who has the need and resources to pay for it - Government. Sure there is a black market but No More Free Bugs wasn't meant to play on the black market.
More specifically, the alternative is probably illegal and these security researchers really want - like most people in society - to stay above board in legitimate markets. I'm not talking informal economies, I'm specifically talking illegal black markets with an express nefarious purpose.
Finally, in the background of all this is a "right fighting" dynamic where security researchers and vendors go back-and-forth about what is reasonable and fair. Who is "right" to hold their position. Yet nobody seems to stop and ask "Who fights for the users?"
Not long ago Christopher Soghoian taked about the risks of this evolving market turning against "us". I'm not going to delve into that geopolitical aspect here - that's for another time - but it's worth noting because the market dynamic I am worried about is directly related. How can private industry be expected to further protect assets, that the Government itself is saying are matters of National Security, if the Governments themselves are encouraging behavior which adds a hostile dynamic to the security research marketplace?
Government complicity in this secret security research market is in direct competition ~against~ vendors who are trying, and in my opinion quite reasonably, to deliver better more secure product. (Side note: Obviously we're just talking about compounding problems - 0-days aren't how a huge majority of security escapes happen.)
It would seem to me this is just a way Government still gets the back door without actually asking for and documenting a back door. They just price the bug, I mean back door, in. How is this OK?
The market is going to exist and I think No More Free Bugs is certainly the right way to go. I'm just not entirely sure that Government should be a player in that market. Yes - the bad guys are going to know what they know, Governments are going to do what they do. I just have to believe that Government inflating costs isn't in the best interest of the Government or The People. And, oh yeah, the Government is supposed to be working for The People.
I'm not offering a solution, I honestly have conflicted feelings myself, I just think it's well past time to more openly and thoroughly discuss this evolving ruleset. In the meantime I'm going to do some market research on my measly security bugs - I need new furniture.