To Disclose Or Not To Disclose.

Full disclosure has long been a hot discussion on the Internet, And today I read an interesting article written by Jeremiah Grossman, a name you probably all know. The article raises interesting questions about the security climate we now live in. Jeremiah basically points out that a software vendor cannot demand security researchers to play by their rules, and outwit them morally. The article mirrors the same ideas I have for quite some time now.Whether to disclose or not to disclose. A researcher has the right to make up his own mind about what he sees fit. I'm ambiguous to any form of disclosure, but my personal preference lies in either full disclosure or paid disclosure. There isn't much ground between them for me. The fact of the matter is that researchers are spending huge amounts of time and money, plus passion into research. This leads to the conclusion that the researcher is holding intellectual copyrights on the found vulnerability. I am willing to go as far by saying that security vendors should pay researchers if they propose a vulnerability, or vulnerability fix to them. A software vendor cannot expect that a security researcher will spend even more time waiting for the vendor to release a patch and communicating together for months unpaid.As I said frequently, the whole discussion about responsibility should stem from both sides. The software vendor is a priori responsible to sell decent software that has been tested to the degree of known vulnerabilities or exploit mechanisms. Quite often software vendors shelf out software the next day it was completed. They want to be ahead of the competition, thereby making a calculated risk that researchers will x-ray their product into the tiniest detail. For me, the situation is transparent; Software vendors should be responsible for the product they sell. If it doesn't meet up security standards, the vendor has absolutely no right pointing fingers to researchers and moralize their consciousness. If there is anything as blackmail in security, it extends from both sides.Vendors are walking thin line these days, and as a result; the future of security probably holds vendor liability. Thereby enforcing vendors to release a product that has been tested before shipped. Until that day, it seems fair that researchers should not labeled as outlaws, but rather be taken seriously and in the best case be paid or compensated for their performed research. If it works in the real world, why shouldn't this work in the virtual one.