Security Firms Releasing Exploits: Driving Up Sales Or Informing The Public?

from the not-so-good dept

The more cynical computer security watchers have often suggested that security firms are behind certain virus/worm releases in order to sell more product. Certainly, high profile exploits tend to drive up security software sales, and there's always some skepticism in any business where true "success" would really mean putting yourself out of business. However, most security companies really aren't that crazy to completely risk their reputation like that. Of course, at the same time, you have the debate over security researchers who reveal exploits in order to better inform the world of the risks, and maybe prompt a company to fix security holes it seems like they've been ignoring. So where is the border line between these two things? It seems like one French security firm is clearly pushing (or some might say obliterating) those boundaries by releasing zero-day exploit code for a hole in Microsoft IE and pushing out code within 24 hours that works on the Plug-N-Play vulnerability that came out last week and impacted many users. It certainly looks like this effort goes beyond "informing the community of a threat" to "smashing things up to get more sales to fix the mess." The big differences: (1) no alert to the company, giving them a chance to fix the hole and, (2) much more importantly, the release of actual code, rather than just letting people know that the vulnerability exists and that users are at risk.

1 Comments | Leave a Comment..