This InfoWorld article examines whether “cyber vigilantes” (CVs), those folks who uncover security vulnerabilities in well known popular software and bring the vulnerability to the software manufacturer to be corrected, are good guys or bad guys. As the article points out, the two sides of the issue are 1. that these folks are doing a good thing because: by bringing the problem to the company’s (and sometimes the public’s) attention for correction helps the company and all the users of the software by avoiding widespread exploitation of it and creating havoc. Or, 2. doing a bad thing by making the vulnerability public and jeopardizing the company and the public safety by bringing the problem to the attention of the hackers.
I suggest you read the article and form your own opinion, but here’s mine. I’m not sure whether these guys are wearing white hats or black ones, probably some of both. The practice of some of the CVs is to pressure the company into making a quick modification to the software to close the vulnerable “hole” in the software and this almost always causes a confrontation. The company usually doesn’t move quickly enough to satisfy the CV. This could be because they don’t think the vulnerability is as great a risk as the CV does, or they may not be able, because of the complexity of the software, to produce a patch that is of high quality in a very short period of time. It seems to me that many times the CV is unreasonable in their demand (perhaps justified) and when the company reacts as above, the confrontation escalates to the point that the CV threatens to, and sometimes does, go public with the vulnerability information. This relationship between the CVs and the software companies could be a very productive one if the above scenario of confrontation was ratcheted down a notch or two…or three.
The source of this ongoing problem of software vulnerabilities is that the software companies don’t design and develop their software with enough emphasis on security. In order to improve, they must make an investment in education of their development staff…writing software to avoid vulnerabilities that can be exploited, and in quality assurance…testing for vulnerabilities. Perhaps if the number of vulnerabilities are reduced; the number of CV/software company confrontations will be reduced.
However, the cynic in me believes that the companies won’t spend the money necessary to improve the software security and the CVs will continue to get an ego pump by pushing the software companies around…and consequently, this situation will be around for a long time.
What is your opinion on this issue? Are these guys wearing white or black hats? Are the companies doing all they can to improve their software? Are you sick and tired of all these software vulnerabilities and their inherent danger? Let me know. Please comment on this article; we all learn from each other when our views and opinions are shared.
I hope you enjoyed this article. If you enter your email address in the Email Subscriptions box on the home page, I’ll send you an email when a new article is posted. I don’t share your email address with anyone…no one; I hate spam too. Please share my site with your friends and family. Thanks.
Remember, home computing is a blast…keep it productive and enjoyable.