Russian security research company won’t share thier exploit
http://www.daniweb.com/blogs/entry2060.html
Apparently a company in Russian named Gleg finds security holes in commonly used software and then sells information about the exploitabilities to their ‘clients’ who pay lots of money to get knowledge like this. It sounds like they publicly stated that they have a buffer overflow attack that works against the new version of RealPlayer 11. The vendor that makes RealPlayer has repeatedly asked Gleg for information about the vulnerability, but Gleg apparently refused to disclose any information about the weakness. It is disorienting for me to think of what this Gleg company does as legal, but it does not seem like they are actually breaking any laws in doing this.
Comment by Trip Volpe
February 10, 2008 @ 11:14 pm
I have to agree about the legality. Although what they’re doing is clearly unethical, it doesn’t seem to me that there’s any behavior here that could be reasonably criminalized. Perhaps some case could be made against furnishing such information to people who will clearly use it for illegal purposes (which seems like what Gleg is doing), but in my personal opinion this would be an unacceptable restriction of freedom of speech.
In any case, if Gleg is located in Russia, bringing any charges against them would be difficult at best. And trying to achieve security by stifling all the people who might release information about a vulnerability is a terrible security policy anyway, so RealNetworks would be much better advised to focus on finding the security holes in their products themselves.
Or maybe finally discontinuing and apologizing for that horribly atrocity that they call a media player. 😉