This sums up the direction I have been heading in for some time now with regards to vulnerability disclosure. After ten years of handling vulnerability disclosure for various companies and OSVDB, I am fed up with the process. It always involves an incredible amount of time and effort hand-holding the vendor, explaining concepts they should readily understand, ensuring them that you mean no harm and submitting to their procedures and timelines, all to be ‘responsible’.
At all levels of the vulnerability discovery and disclosure process, there is value. Many people in our industry are seemingly stuck in the 1990’s mindset regarding vulnerability value. The methodology for discovering vulnerabilities has value, as new methods fuel white papers that drive advertising to niche companies. Customized tools allow for easier discovery and more reliable exploitation of vulnerabilities that give value to the tool maker as well as the companies that use them to perform commercial work. While a vulnerability is being disclosed, it has value for companies that sell such information or provide defensive technology that can look for the resulting exploits. Even after disclosure they become a form of advertising to companies and resume fodder for individuals.
The views of folks like Ross Thomas from Sophos are silly. If a researcher spends the time to discover, research and document a vulnerability, of course it is theirs to do as they please. Vendors need to come up with a reason why responsible disclosure really benefits everyone, not just ‘their customers’. Of course it benefits their customers, but it also benefits their bottom line, which is the vendor’s verification of vulnerability value (channel Hugo Weaving as you say that line).