Not sure exactly what you mean with your altruism condition. If you believe that “altruistic” research is beneficial, you should want as many vulns found as quickly as possible. If you believe it is unlikely that the good guys will find the same bugs that the bad guys do, then timing doesn’t matter (though you would be correct in your belief).

I think boasting is the best way to get vulns found quickly and at least have a chance of “bad guys” making their finds public in order to embarrass Microsoft. I am not sure where PR fits into secure software, but MS is in a no-win situation anyway. I’d rather the “altruistic” type do whatever damage they are going to do sooner not later, so we can move on.

Vendors lose the value of future purchases. Customers lose the value of present assets. Since money now is worth more than potential money later, customers have much more to lose from a given security risk than a vendor.

MS is about to drop a mad amount of economic data on security / anti-malware / SP2. I’ve gotten some early previews; it’s *beautiful*.

Re, Randomness — systems can be designed to do one thing and one thing only, or they can be designed to recombine in new and interesting ways. There is little hope of progress in the former model, but security is orders of magnitude more difficult in the latter. Here is a realm we have trouble.

Thanks for the comment. It sounds like you are looking at face value $$$ for vendors but patch costs for customers. I am not sure I agree with that assertion. The costs to a vendor for patching a system can be significant (developer time, customer support time, opportunity cost for Vista). Of course, the same can be said for customers, but it is not clear to me that there is “much more” of a difference.

re: Strange economic realities – I definitely agree with you there. The economic reality is that very little we do in security makes economic sense.

I am not sure what you mean by your last point. If you are suggesting that random vulnerability seeking leads to “progress” that would only have single sourced innovation as an alternative, then I am happy to heartily disagree.

The vulnerability discovery we do today has only detrimental benefit, and I could prove it if I only had the math skills.

So yes, there’s a desync in importance between vendors and customers. It’s well known.

You know, randomness and progress are kind of linked. The alternative is single sourced innovation.

The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue…