A prominent French security company has stopped distributing exploit code to the general public -- a move that should come as a relief to many software vendors.
FrSIRT, formerly called K-Otik, and its parent company A.D. Consulting offer security consulting services, as well as a database recording software vulnerabilities. But the site also goes a step further, and publishes code exploiting those vulnerabilities, to the chagrin of some vendors, who charge that such practices verge on the irresponsible.
However, the firm has now pulled its database of exploit code into a paid service called FrSIRT Vulnerability Notification Service (FrSIRT VNS). The vulnerabilities database is still publicly available.
The VNS offers 24/7 notification services and incident response, according to FrSIRT, with notifications via a customizable web-based interface and email. FrSIRT claims to monitor 50,000 product versions. FrSIRT VNS also offers an online vulnerability scanner to identify vulnerabilities on a system. The basic service allows for one user, with a premium "VNS+" service supporting five or more users.
The three-year-old company has been active in its support of a "full disclosure" agenda since its formation, arguing that this leads to more secure products. Its corporate policy states that FrSIRT will "publish all the technical details of (a new vulnerability)... at the time of its discovery".
This is a more extreme view than that taken by other firms, which often keep bugs completely under wraps until they have been patched. Some firms, such as Verisign's iDefense, notify the public that there will be a vulnerability disclosed, but don't give details until a patch has been released.
FrSIRT argues its policy helps to "ensure IT security and to encourage vendors to quickly develop solutions and corrective measures for security problems".
However, security researchers are finding a growing market for selling exploit research, rather than publishing it to the general public. TippingPoint and iDefense are among those who offer payment for such research; last year an exploit for Microsoft Excel notoriously went on sale on eBay.
Until recently, the notorious hacker holy_father offered a paid version of his rootkit, Hacker Defender, with regular updates designed to fool security software.