Zero Day Ethics
http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/ Withholding zero days to sell on the black market certainly doesn't seem ethical to me, but I can see how the money and fame could be tempting. I personally try to stay away from egocentricity and I think they're more important things than money(Then again no one has ever offered me $100,000). What do you all think? What would you do with a $100,000 zero day?
Unethical to whom? According to whose morality? Is it better to fund your exploitation of a corporation that supports both child slave labor in foreign countries AND deprives you of your rights to completely own your software, or to keep silent and fully disclose, letting them profit from your hard work at an increasingly lengthening margin from most other operating system and utilities companies?
Or how about exploiting Linux, where they depend on user input to find and help patch bugs and security weakpoints in the system?
So? If you think you're morally superior because you'd rather see full-disclosure with no compensation, you've got a greater ego than those that would sell their exploits. No one is morally righteous in this case.
I'd take the money, because I the time and dedication finding the exploit, and I'd rather see Microsoft lose money and customers (whom inevitably flock to Apple or Linux) than find fault with some Ukrainian mafia figure making money.
@arabian, very well said
Sorry if my wording was off, I know morals are subjective and I know I'm not superior to anyone else,but I meant to my own standard of ethics it seemed off and I was just curious to see other peoples views in the hbh community. Mostly I was curious if the community had any set of shared ethics other than just what can be posted on the forums.
I tend to support full disclosure because I empathize with the programmers and the customers, not the companies. I'm sure Microsoft and Google can deal with losing a little bit of money, but I'd hate to see a programmer lose their job, or some working class family have the their bank account cleaned out.
Your argument disenfranchises 2 sectors of the population:
- The consumer/user.
- The lower level outsourced assemblyline worker.
You think the middle class well educated programmer is going to be the one suffering most if you don't fully disclose? You're helping maintain the employment of the people who could best handle losing their jobs, and at the same time, supporting a company that deprives others of far too much.