Update: Clarified my question and point in second to last paragraph.
The Guardian had an article yesterday about how vulnerability auctions are essentially protection rackets and it is all bad for security:
This year computer users will be more exposed to
cybercriminals than ever before. It’s not just because online crime is so
attractive to identity theft gangs but, ironically, because the computer
security industry that is supposed to protect users has deteriorated – from one
which shared everything about newly discovered weaknesses to what some within
it now call a "protection racket".
"The security industry is fast becoming a protection
racket. There’s no other word for it," Henry says. "The tradition has
always been for vendors to share information on vulnerabilities so we can all
protect our customers. Now you’ve got hackers being given a so-called
legitimate route of selling vulnerabilities to a single company who then
protect their own.
People love certainty, even when the knowledge may increase the risk, which it does with broader disclosure. You see, the vulnerability already exists in your environment, so you have already accepted that risk. The only thing that changes the equation, then, is the threat side – and more people knowing about it equals greater threat, and therefore increased risk.
Mitigation techniques that are tied to specific knowledge of specific vulnerabilities (e.g. patches) are inherently flawed. The benefit is greatly outweighed by the cost, when you look at a) the proportional allocation of resources across ALL vulnerabilities (including unidentified ones) in an environment, and b) the number of vulnerabilities that are actually exploited.
Ask yourself this question: why
do would you think bugfinders are finding ALL of the exact same vulnerabilities that the bad guys are finding and using? There are so many vulnerabilities to choose from, the "collision" rate could easily be very low (and is low, according to security professionals who subscribe to the belief that the black hats are winning). In order to be sufficient, an explicit discovery strategy must find every vulnerability.
The industry must either increase vulnerability discovery by (probably) a factor of 10x or more to even attempt to catch up with every single vulnerability ever created and being created in real-time…. or come up with new methods for protection.
For further reading, see my original post on vulnerability auctions.