Home » Data Protection » Application Security

Software Vulnerability Disclosure: The Chilling Effect

How the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal

A gray pall, a palpable chilling effect has settled over the security research community. Many, like Meunier, have decided that the discovery and disclosure game is not worth the risk. The net effect of this is fewer people with good intentions willing to cast a necessary critical eye on software vulnerabilities. That leaves the malicious ones, unconcerned by the legal or social implications of what they do, as the dominant demographic still looking for Web vulnerabilities.

The Rise of Responsible Disclosure

In the same way that light baffles physicists because it behaves simultaneously like a wave and a particle, software baffles economists because it behaves simultaneously like a manufactured good and a creative expression. It's both product and speech. It carries the properties of a car and a novel at the same time. With cars, manufacturers determine quality largely before they're released and the quality can be proven, quantified. Either it has air bags or it doesn't. With novels (the words, not the paper stock and binding), quality depends on what consumers get versus what they want. It is subjective and determined after the book has been released. Moby-Dick is a high-quality creative venture to some and poor quality to others. At any rate, this creates a paradox. If software is both scientifically engineered and creatively conjured, its quality is determined both before and after it's released and is both provable and unprovable.

In fact, says economist Ashish Arora at Carnegie Mellon University, it is precisely this paradox that leads to a world full of vulnerable software. "I'm an economist so I ask myself, Why don't vendors make higher quality software?" After all, in a free market, all other things being equal, a better engineered product should win over a lesser one with rational consumers. But with software, lesser-quality products, requiring massive amounts of repair post-release, dominate. "The truth is, as a manufactured good, it's extraordinarily expensive [and] time-consuming [to make it high quality]." At the same time, as a creative expression, making "quality" software is as indeterminate as the next best-seller. "People use software in so many ways, it's very difficult to anticipate what they want.

"It's terrible to say," Arora concedes, "but in some ways, from an economic perspective, it's more efficient to let the market tell you the flaws once the software is out in the public." The same consumers who complain about flawed software, Arora argues, would neither wait to buy the better software nor pay the price premium for it if more-flawed, less-expensive software were available sooner or at the same time. True, code can be engineered to be more secure. But as long as publishing vulnerable software remains legal, vulnerable software will rule because it's a significantly more efficient market than the alternative, high-security, low-flaw market.