Selling Vulnerability Research - Ethical or Not?

Adam Gowdiak, founder and CEO of Security Explorations, discovered a bunch of vulnerabilities in the Java platform used in Nokia Series 40 phones. He wants to be paid for discovering the vulnerabilities, but he's already informed the relevant vendors about the vulnerabilities. Gowdiak says that he'll use any proceeds to create "a cutting-edge security research center in Poland," and he figures that he needs about 1,000,000 Euros to get that rolling.

The fact that he's asking for money for vulnerability discoveries has caused quite a stir and of course people have differing opinions about it.

My perspective is two-fold: First of all, he did the research on his own without being asked by Sun or Nokia to do it so he can't expect to be paid anything, but asking certainly wouldn't hurt. Secondly, Sun and Nokia ought to be appreciative that Gowdiak DID conduct the research and brief them on his findings - what would the cost to their reputations be if a black hat type of researcher had found them first?

If I were in charge of making a decision about whether to give Gowdiak any money then I'd probably give him some. But first I'd set up a standard company policy that defines how much to pay anyone in a variety of circumstances depending on the nature of the vulnerability. The more dangerous the vulnerability, the more I'd pay the discoverer(s).

So what's you opinion about this sort of thing?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.