I find those trafficing in nonpublic exploits morally reprehensible
Mary-Ann Davidson, CTO, Oracle Corp.

I'm at a security conference where Mary-Ann was doing the keynote today - the quote is from her talk. She was referring to the new development in "vulnerability research" - the "vulnerability sharing clubs" that are popping up from a bunch of different research organizations. As far as I'm aware, the first group to do it was Immunity, which is Dave Aitel's company. Others have followed suit since - Core being one of the most notable.

Of course, it costs a significant fee to join these clubs - when I last inquired of Dave, the fee was up near $100K per year. In addition, they're selling tools like Canvas that make exploitation all too easy.

This type of stuff puts us in a bit of a bind. In order to keep up with what the "morally reprehensible" people are doing, we have to know what they know. (I don't think Dave or any of them are "morally reprehensible"). However, I concur with Mary-Ann in a lot of ways - this isn't exactly the type of stuff that I agree with trafficing to unknown people for a price. As she pointed out, it's all too easy for "just anyone" to sign up for this service, and own boxes if they've got the cash.

What's frustrating to me is that we're both known as teams of "vulnerability researchers" and I certainly don't want to be lumped in with that - we try to stay on the vendor's good sides. We don't sell or publish exploits. We're here to make the world more secure, not to wreak havoc for our own personal enjoyment and personal gain.