

Market for zero-day vulnerabilities incentivizes sabotage - aurelianito
http://boingboing.net/2012/06/16/market-for-zero-day-vulnerabil.html

======
patio11
If you can commit to MS Windows or anything similar and lack scruples why on
earth would you be playing for the penny ante on the formal market?

------
fiatmoney
I'm somewhat skeptical that this is actually going to be a big / common issue.
Introducing vulnerabilities, in such a way that they're both effective and
look like an accident when one of your coworkers (or in the case of open
source, anyone else) looks at your code, seems like it'd require a pretty
advanced skillset. Such a person is probably better off selling that skillset
directly and legally by finding vulnerabilities in other peoples' code.

Not to say that it won't happen on a targeted basis, but a legal market for
"discovered" vulnerabilities doesn't seem to add much incentive when the act
of intentionally introducing them is likely illegal already, and they'd be
paid the same regardless.

------
pmorici
"it also creates an incentive for software engineers to deliberately introduce
flaws into the software they're employed to write"

I don't think this potential conflict of interest is unique to software. Any
security sensitive industry has to consider the possibility of corrupt
employees.

------
trotsky
Hell, it incentivizes the companies themselves to introduce bugs or fail to
fix them in some situations. Think of popular products that are difficult to
monetize - plugins, im networks, html rendering engines, mobile applications.

Flaws are so common it's not like anyone thinks twice when a national program
is found using a bug in your software.

------
franzus
Market for bank robberies incentivizes sabotage.

