Tell it like it Is

Anton Chuvakin alerted me to a paper by eEye on Zero Days: Vulnerability Discovery, Disclosure, and Ethics (of all things).

I find its five benefits of vulnerability research highly enlightening (and honest):

  1. Vulnerability discovery can help build organisational profile through brand recognition and goodwill.
  2. New concepts invented through "pure" research can sometimes be applied directly to the commercial software, creating a competitive advantage.
  3. High profile research organisations are seen as attractive employers, leading to improved quality of applicants for positions across the organisation.
  4. The security research team can be used to provide unparalleled in-house pre-release security testing for new software products – thus avoiding the negative publicity of having them broken in public.
  5. Although altruism is seldom considered to be a direct commercial benefit, security research advances the overall "state of the art" in software security, thus benefiting all software users.

Wow. Brand recognition, competitive advantage, quality employees, quality products, and, finally, maybe some security benefit at the highest level. I think they are right, and I am glad they didn’t say it makes everyone more secure immediately.

It should be clear now what their motives are, at least. (Btw, feel free to skip the ethics part).