There is a growing controversy over the business of selling zero-day exploits, that is bugs in software that can be exploited by malware. I say controversy because it is perfectly legal in the U.S. and many other jurisdictions for someone to discover a zero-day, not report it to the software vendor, and then sell information about it to third parties. And there is a rising chorus of calls for government to intervene in this practice. It occurred to me that software vendors are ignoring an existing legal tool that would let them crack down on these practices.
I went and scanned both the Windows 7 EULA and GPLv3 and I can find no language that prohibits someone from disclosing a zero-day exploit to a third-party nor requiring disclosure to the software vendor. Recall that software is not sold, but rather licensed, and the author retains substantial rights over your use of the software. So it should be possible for software vendors to include language in their licenses that make it a violation of the license to sell zero-day exploits.
There are models that could be followed for creating restrictions on zero-day exploit disclosure. Many years (actually decades at this point) ago Oracle added language to its database system license to prohibit disclosure of benchmark results. Other database vendors eventually followed. This later spread to other software and, for example, the Windows 7 EULA places some restrictions on the publishing of .NET benchmark information.
It even seems to me that the GPL, as well as other Open Source licenses, could be modified to limit disclosure of zero-day exploits. One would think that mandating disclosure to the original copyright holder before any other disclosure is in the spirit of the GPL.
Can this work? Well, it can help. Legitimate entities like Vupen have little choice but to adhere to licensing restrictions or face crushing legal consequences. And while black hat hackers will largely laugh at these restrictions, it does open up another avenue for targeting their activities with the legal system.
And what of those calls for further government regulation? Well I’d say that chances are 99% that any new laws or regulation will exempt sale or other disclosure to government entities. And while that seems like that might be ok it has many negatives. First, it keeps alive the business of selling exploits. Second, it creates a loophole that allows sales to government entities that may be less than friendly. Third, it legitimizes keeping vulnerabilities in software unpatched to allow for cyber “warfare” or other government sponsored attacks. Fourth, it could lead to all kinds of unintended consequences such as bringing more software under munitions control regulatory schemes.
Even if you dismiss my concerns about the negative consequences of additional government regulation, any such regulation will leave gaps that my proposed solution can fill in. For example new U.S. law will have limited impact on foreign actors, but a software vendor can create contractual obligations that apply in most jurisdictions without requiring new authority from the governments of those jurisdictions.