Comment by mlyle
2 months ago
> I think we're on a trajectory towards those marketable bugs having something like a vintage.
I'm reminded of when we really systematically started treating temporary names correctly and thought security was going to be so much better.
I think there's no shortage of bugs and exploitation scenarios. We'll eliminate the easiest to exploit and most common mistakes, but there will be yet more.
> I think the most important thing bounties do is mobilize people who would never work with a grey-market broker to do good vuln research work
I think it makes it easier for those who work with grey market brokers to "go legit", too. Even if bounties can't win on price, this doesn't mean they can't win people over.
Of course, the fact that they can't win on price is a market oddity. Exploitation causes net economic harm; it's a negative-sum proposition. The only reason why software vendors can't outbid the criminals is because the software vendors don't pay the actual losses. I'm hoping this changes some over time.
> we both agree that those sums are set to increase.
I don't/didn't know that's true, but that's welcome news if true.
If we're talking about mid-90s race conditions there, with "temporary names", there was never a market for those vulnerabilities. There's a myriad of different vulnerabilities and new bug classes announced with fanfare every year at Black Hat and the Big Four conferences, but we've been in what seems like a stable state for over a decade on which of those vulnerabilities are actually tradable.
> If we're talking about mid-90s race conditions there, with "temporary names", there was never a market for those vulnerabilities.
More like mid-80's with effects dragging on to mid-90's.
There was never a market back then at all. ;) The point is, many confidently announced that all the easy to exploit stuff in Unix was being fixed and soon security was going to be less of a problem.
> but we've been in what seems like a stable state for over a decade on which of those vulnerabilities are actually tradable.
Yes, but that doesn't stay the same if the low hanging fruit dries up as you posit. The level of sophistication of both exploit writers and exploit consumers will have to climb, but we're nowhere near the ceiling of the skills and effort that crime and intelligence can pay for.
Right, so I'm not confidently predicting the end of software security (I'm "optimistic" about its relevance, in the same way you're pessimistic about the long term security of software). But drive-by clientside exploits are a particular kind of software security problem, and that one, I do see the light at the end of the tunnel (and also a prolonged period of 7-8 figure exploit premiums).