Do cybersecurity researchers have an ethical obligation to disclose the vulnerabilities they discover? Only in a perfect world, as this story reminds us.
Motherboard reports:
Zero-days—security issues known only to the attacker and not the affected vendor—can be a sought after commodity for researchers, criminals, or governments. But one company is offering zero-days for a set of overlooked targets: medical software, some of which is used in hospitals.
The company’s products highlight the often polemic debate between keeping hold of vulnerabilities for offensive purposes and selling them, or disclosing the issues to the affected software vendor so the holes can be fixed.
“To disclose is not an obligation,” Yuriy Gurkin from Moscow-based cybersecurity company Gleg, and which is selling the exploits, told Motherboard in an email.
Gleg offers several different packs of exploits for clients: Agora covers mainstream web software; the “SCADA+ Pack” is focused on “industrial software and hardware environment” issues, and, predictably, the MedPack includes vulnerabilities for medical software. A one year subscription for MedPack costs $4,000, and for that Gleg provides 25 exploits per year, most of which are zero-days, Gurkin wrote.