For starters, let me clarify that "Zero Day" is not another name for the day we will all start over. It is not Doom day. D-day or Groundhog Day. It is none of that. However, if you spot a 'Zero Day' you might have the sensation that you are experiencing one "very bad hair day", to say the least.
A 'Zero Day' is a flaw in a software program, a vulnerability that was not identified by the maker. After knowing that, you may say: "well, if it was not detected by the maker, nobody knows. If nobody knows, it doesn't exist, right?" Sorry. Not exactly.
Zero Days exist and it is a matter of time until they show up. The real question is who and when it will be fixed. Before or after the damage happens?
Let me put it in another way: would you prefer to have a vulnerability in the program to be identified and fixed before your account in Yahoo is hacked or after an unidentified 1000 dollar bill appears in your statement? Before a power plant is controlled by anonymous hands or after a nuclear reactor overheats mysteriously? Before your driverless car is hijacked by an undesignated driver/program or after your engine suddenly stops at a 65 mph lane? I suspect you got my point by now and you agree with me that a preemptive action is advisable. But who plays this game? How to prevent the damage?
There are several players in this board and the dynamics, interests and drivers for each one will vary. Software programmers, industry makers, brokers, government, end users, they all have their own agenda about how to handle a zero day and this can be extremely complex.
But allow me to approach the software programmer perspective at this time. For that I'd like to ask you to embark into a little role play and to put yourself in the shoes of a code developer. Let's suppose you find a vulnerability. What do you do? Do you report it to the maker? They may take this as 'blackmailing'. And let's be honest, nobody likes to have an outsider pointing a flaw on you. Some animosity just looks natural.
Perhaps you should report it to a security agency? They will know what to do, right? Well, the question is which one? A good part of the programs and apps we use today are spread around the globe, in the cloud. Who should you contact?
Maybe you should let the invisible hand of the market decides (remember you are still wearing those shoes, and you paid for them. So, yes! You expect to be paid for the work you have done and for the discovery you have made! There is a value on it and you are entitled to that!). You then start analyzing marketplaces and you find that there is no official market for zero days and you end up you at Alphabay (yes, the eBay of the dark web), which puts you side by side with people selling credit card records for 0.03 cents of a dollar. Not cool. This just does not look right.
You know that lives can be in danger, but surface the flaw looks bad in every way from a personal perspective. A very thoughtful reader that took the shoes off for a moment may say at this time, that you should not have meddled into it, in the first place. And to this thoughtful reader, I ask if ignoring the flaw will make its consequences go away. In addition, I'd inquire what would be your take if your carmaker was informed that someone could take control of your car and took no action about it. I hope, my dearest reader, that your answer was that you would prefer to have someone working to identify the flaw beforehand. Now that we are hopefully in agreement, may I invite you to put your shoes back?
So, here you are with several dead ends which leads you to ponder about making the vulnerability public, just like the Mirai bot last October that blocked the service of Netflix, Amazon and others, at the risk of disrupting the routine of users to illustrate the consequences of a security flaw.
What would you do? Would you endanger the short term for the greater good? Is there any option that will make your decision the right one? What would be your call?
Luckily, you hit a bug bounty program and all these questions will have no meaning. But there are so few of them... which brings me back to the question: what would you do ?
MR