Comment Why? (Score 2, Insightful) 307
I suppose this really comes down to the intent of the security firm. WHY did they go looking for vulnerabilities? A common theme I see repeated here is that they spent time and effort looking for vulnerabilities. Why would they do so? What is their profit model? I see three real(hehe) possibilities.
1. They are planning to sell the information to (criminal) third parties.
2. They are planning to sell the information to Real.
3. They are trying to sell services to Real.
The fact that they offer it to third parties before offering it to the vendor (or at least offering a grace period) is very telling. They are trying to coerce Real to buy the vulnerability information before attacks appear in the wild. Failing to do so would lose them profit and face in the digital world, especially as this is being highly publicized.
Thus, either the firm is finding and selling vulnerabilities for criminal purposes or doing so to pressure companies into buying them. Either way, they are doing harm (to Real and/or end users). While it may not be illegal per se, this is a very underhanded thing to do.
1. They are planning to sell the information to (criminal) third parties.
2. They are planning to sell the information to Real.
3. They are trying to sell services to Real.
The fact that they offer it to third parties before offering it to the vendor (or at least offering a grace period) is very telling. They are trying to coerce Real to buy the vulnerability information before attacks appear in the wild. Failing to do so would lose them profit and face in the digital world, especially as this is being highly publicized.
Thus, either the firm is finding and selling vulnerabilities for criminal purposes or doing so to pressure companies into buying them. Either way, they are doing harm (to Real and/or end users). While it may not be illegal per se, this is a very underhanded thing to do.
