Imagine if someone in infectious disease research said "I
t's not at all true that researchers on the whole do what they do to prevent disease. Many of the best researchers do the opposite!"
It would be interesting if monetizing the next flu bug worked the way that the market for vulns works.
Infectious disease researchers are finding microbes, just like security researchers are finding vulns.
Now let's try putting words in your mouth: You would be happy with disease microbes being sold to the highest bidder and weaponized, and turned against the population, just as vulns are when security researchers sell them to spy agencies and law enforcement. Is that what you are saying? Are those acceptable professional ethics for... biologists? Anyone?
If it was up to me, we'd come pretty close to banning the manufacture of firearms and ammunition, so I'm not the right person to ask about this. But, once again:
* Vulnerability researchers do not as a rule disclose to vendors. Some do, some don't.
* Sponsoring the discovery of a vulnerability so you can write an exploit for it doesn't prevent others from finding that vulnerability and patching it. If anything, sponsoring vulnerability discovery for exploit development increases the likelihood that the bug will be patched.
* When I ran a security consultancy, we had a "no selling vulnerabilities" rule. Published, on our website. I was comfortable with that, because "my company my rules". I am a lot less comfortable dictating my own morals on other people that don't have a contractual agreement with me.
* It is difficult to come up with an argument that vendors should get disclosure of vulnerabilities that doesn't involve vendors entitling themselves to the (often very expensive) work of vulnerability researchers. It's especially galling to see companies that don't spend any real money on software security expressing that sentiment.
And, of course: software vulnerabilities aren't infectious disease agents. The revulsion we have for weaponizing infectious diseases comes from the concern that they will spread unchecked. But that's not how software vulnerabilities work.
The question is whether selling vulns, or weaponizing them, or stockpiling weaponized vulns is acceptable professional ethics. Some people think that the government having stockpile of zero-days is a good thing. Some even think that vulnerable endpoints are a good compromise outcome so that encryption doesn't turn into intellectual contraband.
But it would be better, for everyone, for it be considered unethical and unprofessional to add to the stockpile and actively keep endpoint devices vulnerable. I think stockpiles of vulns should be disclosed, even through hacks or leaks, like the Hacking Team leaks. Hence the analogy to biologists auctioning off their discoveries secretly to be weaponized. It's analogous enough: The practice of stockpiling vulns for the purpose of spying leaves everyone with less privacy and security, at the mercy of the unaccountable and outright evil. It creates perverse incentives for deeply unethical behavior. It poisons the whole software and hardware industries globally. If vulnerability stockpiles were unilaterally disclosed, it would be a large net benefit to the common technology user.
Also, rewarding researchers for disclosure is fine. There are open, transparent, and ethical ways to do that, like published bug bounties followed by timely public disclosure.
You might have good intentions and high ethics, but industry norms have to be designed for people like Hacking Team.