Brad’s latest article, A Lively Market, Legal and Not, for Software Bugs is on the front page of the New York Times this morning. Its so strange, after all these years, to suddenly have Brad and the paper of record interested in vulnerability reporting, something CIS held a conference about in 2003, that I’ve been speaking and writing about for a few years now.

The news hook for the story is that hacking, once a gentleman’s sport governed by the “responsible disclosure” protocol of thank-yous and how-do-you-dos is now being perverted by money into the dark and dirty game of bounty hunting on the eve of Microsoft’s Vista release. The title is a bit misleading. The market is legal. A particular sale may not be, however. While there are no laws that forbid the simple sale of exploit or virus code, the U.S. Department of Justice has taken the position that distributing code with malicious intent, or with the knowledge that the recipient intends to use the code to break the law is a crime. I’m glad the Times has made some effort to qualify the term hacker with “underground” or “nefarious” when they mean a bad guy, rather than using the word hacker itself in a negative way. I’ll be interested in hearing how my hacker friends receive this article.

I also just learned that Rob Lemos, a reporter with Security Focus has an article on the topic of vulnerability bounties as well.