Who owns an exploit?

When a security researcher discovers a vulnerability in a product, who really owns that discovery? Most people would agree that the credit for the find should go the security, but should that person be able to profit from their work?

If you ask iDefense or 3COM you will most likely get the answer: ‘yes’. That is because these companies are in the business of buying exploits from researchers and then working with various software vendors to get the problem corrected (for profit).

However, there are many out there(i.e. software vendors) that despise this mentality because it encourages people to poke and prod at programs. This brings bad press and leave companies with egg on their face and a bad reputation. In fact, in some counties, this activity can land you in jail. Guides

Linked by shanmuga Monday, 12th December 2005 11:51PM