CTO Insights: Vulnerabilities Should Not Be a Commodity

The cybercriminal underground economy is thriving on the high demand for exploit kits and other tools, but cybercriminals aren't the only ones on the lookout for the highest bidder, but security researchers and companies as well. The year 2014 exploded with high-profile vulnerabilities like Heartbleed and Shellshock that had wide-ranging implications that put a lot of computers and devices at risk. Months after the disclosure, despite attempts to update servers, hundreds of servers were still left vulnerable to the bug.  

Presently, more and more vulnerabilities that are spotted are now being sold to the highest bidder, instead of duly reporting them to respective developers in order to be fixed. This practice does not benefit affected users but only the companies engaged in buying and selling these vulnerabilities. Because of these activities, users are left at risk, and the security community is left in the dark about threats that should have already been identified.

Recently, vulnerabilities in Microsoft products were disclosed by Google’s Project Zero and HP’s Zero Day Initiative because it was not patched within the 90 days of the vulnerabilities being reported. This incident sparked a debate between security researchers and software vendors on how vulnerabilities should be disclosed. Microsoft has responded by calling for better coordination on vulnerability disclosure. Because the landscape of vulnerability is changing, it seems that there is nothing more threatening than a zero-day vulnerability, and the efforts aimed to protect users against a broad-spectrum of threats from phishing scams and other social engineering tactics to more complex and determined adversaries are being strengthened.

In order to arrive at a place where critical security strategies and practices are put into place, security researchers and software vendors should work together stop fuelling the industry that trades vulnerabilities. In the video

Vulnerabilities for Sale

below, Trend Micro Chief Technology Officer Raimund Genes, talks about the importance of securing safe code practices and reviewing open source libraries before using them, as well as responsibly reporting discovered vulnerabilities back to the affected vendors instead of selling the information to the highest bidder.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.