Vulnerability economics and Free Software

Matthias Kirschner mk at
Tue Nov 26 05:58:05 UTC 2013

David Wheeler wrote an interesting article about the economics of
vulnerabilities. He fears that the current “‘vulnerability bidding wars’
[...] will create an overwhelming tsunami of zero-days available to a
wide variety of malicious actors.” Beside describing some general
problems of bounties in the security field, the main point of his
article is the idea to increase security by criminalising the selling of
“vulnerability information to anyone other than the supplier or the
reporter’s government.”

About the effects of the vulnerability economics on Free Software
Wheeler writes:

    The current situation might impede the peer review of open source
    software (OSS), since currently people can make more money selling
    an exploit than in helping the OSS project fix the problem.
    Thankfully, OSS projects are still widely viewed as public goods, so
    there are still many people who are willing to take the pay cut and
    help OSS projects find and fix vulnerabilities. I think proprietary
    and custom software are actually in much more danger than OSS; in
    those cases it’s a lot easier for people to think “well, they wrote
    this code for their financial gain, so I may as well sell my
    vulnerability information for my financial gain”. 

(Also posted on

Best Regards,

Matthias Kirschner - Vice President FSFE
Schönhauser Allee 6/7, 10119 Berlin, t +49-30-27595290 +49-1577-1780003 
Weblog ( - Contact (
Receive monthly Free Software news (
Your donation enables our work (

More information about the Discussion mailing list