Anyone who wants to stay in the "hears-about-this-kind-of-thing-early" club should need to pay $10k/month
If I find a vulnerability in code from a project which is pulling this sort of stunt, I will make sure I share details with distributors only under the strict condition that they are not allowed to tell the project about it.
Responsible disclosure usually means "start by telling the authors", because usually the authors know who needs to be contacted and will do that responsibly. If they're just going to sell off exploits to the highest bidders, they should have no role in the disclosure process.
I'm not even sure where this comment came from, and how it applies. This isn't about delaying details to anybody (or, worse, hiding details from anybody), it's about providing details earlier to a group of people who have a strong enough vested interest that they are willing to pay for it and have been vetted as trustworthy enough to allow it.
Given how important OpenSSL is to the web's infrastructure (and the many companies who utilize it), I think there would be value in ensuring it has appropriate resources to fulfill that duty. This idea may not be a perfect solution, but calling it a "stunt" is hyperbole, IMO.
The FreeBSD Security Team works with other software distributors to make sure that they have advisories and patches ready when bugs are first disclosed publicly.
In my years as FreeBSD Security Officer, we in very rare cases gave advance notice of vulnerabilities to end users, and those decisions were made on the basis of "we happen to know that these people are using the software in a way which makes them particularly vulnerable". (In most or all such cases we didn't even provide a patch, just a warning of "make sure you have people around at 10AM tomorrow in case you need to release an update quickly".)
Nobody ever got advance notice by virtue of having donated money, and I reminded Security Team members that they should not give any advance disclosure to their employers.
Except you can't give security vulnerability details to everybody until you have a patch ready (and I certainly wouldn't argue that you should allow paying for earlier access to the patch). On the other hand, when you have a business relationship with somebody, with non-disclosure agreements in place, you can tell them more details much earlier.
Given that you are the exact type of person that I would want reviewing OpenSSL, thank you for your feedback!
What would you say if this was worded more like Patrick's "priority support" clause in his analysis of Tarsnap?Practically it would just mean they send an email to the priority support list before they send it to the listserv. I still think major enterprises would get on board.
Practically it would just mean they send an email to the priority support list before they send it to the listserv
Mail servers are fast enough these days that I don't think that it really matters what order the emails go out in. Maybe someone would want to pay to get a phone call when an advisory goes out, though.
I have no objection to providing support for paying customers, e.g., to help them figure out if they're affected by a bug. But money should not result in you hearing about a bug any earlier.
So, I for one am convinced at this point -- largely by your comments, but also the rest of the thread -- that this proposal would burn too much goodwill. I think charging businesses for "something" is an avenue that needs to be explored, but early notification is clearly not that thing.
If I find a vulnerability in code from a project which is pulling this sort of stunt, I will make sure I share details with distributors only under the strict condition that they are not allowed to tell the project about it.
Responsible disclosure usually means "start by telling the authors", because usually the authors know who needs to be contacted and will do that responsibly. If they're just going to sell off exploits to the highest bidders, they should have no role in the disclosure process.