jared

boston

developer

re: verrry intersting

MS already has 'an out' with regard to vulnerability notification: their own End User License Agreements. They're not financially obligated to release that information, because they're not financially liable when one of their bugs leads to destruction or theft of your data.

By creating a market for vulnerabilities, VSCs put a small amount of financial pressure on vendors to properly QA their "enterprise quality" product offerings. Or, in another light, they're putting pressure on the market to change the working definition of "enterprise quality."

The current market is forcing companies to run their businesses on software they can't afford to completely understand, but for which software vendors generally aren't liable when attacks occur. The available solutions range in popularity:

a) stick with the status quo, because software companies have demonstrated their newfound "seriousness' with respect to security...surprisingly popular, if this article is any indication.

b) break out the hammer of Congress to make software companies liable for vulnerabilities...popular, because many more people understand how to sue than understand how to find and fix software vulnerabilities.

c) create a market capable of supporting vulnerability research of a quality that software vendors aren't currently interested in performing themselves...popularity TBD. :)