The trend continues: Initially there has been the debate around irresponsible and responsible disclosure in the community. You might remember that there have been security researchers out there telling us that the only way to force the vendor to fix security issues is to make them public – and with the put millions of legitimate users at sever risk (therefore we called it irresponsible disclosure).
Now the same researcher start to turn around and start to charge for information around vulnerabilities. Interesting isn’t it: First they call for the “freedom of the Internet” by publishing this kind of information and now they make a business model around it. It started with iDefense and Tipping Point and now with FrSirt (formerly K-Otik - http://www.eweek.com/article2/0,1895,1938511,00.asp).
It even gets worse, you can buy this information on e-Bay as well. There are from time to time offerings that claim that they know about a vulnerability and that they would sell it to the one paying most.
Our position is pretty clear on that: We are strong supporters of the model of responsible disclosure (inform the vendor – any vendor – and give them time to fix the issue). We have very tight processes around the Security Updates and are committed to stick to them. Additionally we are trying to work with the Security Researchers to make them understand our processes and to answer their questions and to learn from them. This proves to be very successful.
Last but not least: We will never ever pay for vulnerabilities