[riferguson]

[Let's use "Alice" as the name of our hypothetical security researcher.]

If the Bad Guys can get the exploit from someone else, then Apple equally could pay someone other than Alice to disclose it to them. Your premise assumes the work is fungible.

If the entire set of people (including Alice) who are capable of finding these vulnerabilities conspired to withhold their work and push the White Hat market clearing price up to the level that the Bad Guys will pay, then the answer to your question would be yes.

If it's a market without price fixing, then Alice withholding her work doesn't materially affect the actual price of the exploit to Apple, and in that case the answer to your question is no.

[tptacek]

You're missing the point. Apple isn't matching the market's bid for these vulnerabilities. Clearly, people besides Miller can find Safari flaws; the difference is, when Miller finds them, we know they aren't being sold to organized crime. By your logic, if he stopped, he'd be making things better for the Bad Guys; he's therefore obligated to do the work.

[riferguson]

You're missing mine, I'm afraid: I've made no claim about anyone having to do anything. Indeed, if I was in Charlie's shoes, I wouldn't be working on spec.

Let me put it another way.

There are two markets for exploits: the legitimate one, and the criminal one.

Charlie is participating in the legitimate one. He's going to get paid what the sole counterparty wants to pay him. We can argue about what the counterparty should pay him, but that's up to Apple (in this case), and there are a lot of different things that might enter into their calculation.

An argument that uses the value of the exploit in the criminal market in an attempt to set a value in the legitimate one only makes sense in one of two cases: (a) you're going to take your work and sell it over there, or (b) you claim that someone else either has already discovered or will soon discover the same exploit independently, and will choose to sell it on the criminal market, and therefore the value of your work should reflect the danger of that happening.

In the first case, you're engaging in blackmail.

In the second case, it's just not a very good argument -- because the chance that each element in the chain of reasoning about the value (it's about to be or has already been discovered by someone else, it's going to end up on the black market, it's a substantial risk for a 0-day, etc.) is not true represents a probability that reduces the overall value of your exploit in the legitimate market. Plus, there's the additional reductions in exploit value that come from the vendor not actually caring that much about fixing problems until they're in the wild, or having already found the issue and decided that the particular problem isn't worth fixing for a variety of non-technical reasons, or any one of a dozen other external factors.

Working on spec and then demanding that the vendors match the exploit values that the criminal market is paying is just a Bad Idea, morally and practically.

[tptacek]

Apple pays zero for vulnerabilities, friend. They get them for free. Charlie Miller is saying he's going to stop doing that. Can you blame him?

[koningrobot]

No, but that's not his point. (I think) he says there's something wrong with him basing his price on what criminals would pay (regardless of whether he would actually sell it to criminals).

I don't know. If he can't ask whatever he wants for it and Apple can't pay whatever they want for it, there's no simple solution.

[tptacek]

I think we've latched too much on the pricing specifics. I don't think Miller cares; I think he's just trying to illustrate that there is in fact a market value for this work, and that vendors and customers appear to expect to get the work product for free.