[bathtub365]

This way of thinking really reflects poorly on security professionals. They should care out of a sense of professional ethics or personal morals. Selling a bug to be fixed by a vendor or to be weaponized by one of Zerodium’s customers are not equivalent morally or ethically. They also aren’t the only two options: he could just sit on the bug. Someone else will likely discover it but he at least wouldn’t be complicit in the erosion of the security of the software ecosystem.

[anamax]

The security of Microsoft products is Microsoft's responsibility.

Microsoft seems uninterested in fulfilling that responsibility, therefore the responsible thing to do is to "motivate" Microsoft.

[bathtub365]

Let’s not pretend selling to private buyers is anything other than financially motivated. I don’t think security researchers who sell their vulnerabilities to private buyers are not acting to “motivate” Microsoft in a roundabout way. Even if we assume that is their motivation, such an arrangement is obviously unethical because vulnerabilities sold in this way are weaponized to do harm against others.

[anamax]

The motivational effect is independent of their intent.

Unless you work for free, you don't get to criticize others for getting paid for their work.

[bathtub365]

> Unless you work for free, you don't get to criticize others for getting paid for their work.

This is completely ridiculous. By this reasoning we shouldn’t criticize corrupt politicians or anyone whose chosen profession means they get paid to make the world a worse place to live. I don’t think we’ll see eye to eye on any of this, I simply can’t understand any of the arguments you’ve presented to justify getting paid to make the world a more dangerous place.

[anamax]

We're not going to see eye-to-eye because you think that other folks should work for free to make Microsoft products more secure.

I think that when security problems in Microsoft products are Microsoft's responsibility and no one else's. By insisting that other people work for free to improve that security, you're arguing that other people are responsible for said security problems.

That's a curious position. You think that someone who isn't paid is responsible, but not Microsoft, who is paid.

I understand why Microsoft would like that arrangement, but why do think that anything else is wrong?

[lobocinza]

Microsoft is not a financially struggling company. I don't think management cares about security.