Theres been a debate going on in the industry about whether its right for companies to charge for “premium” security-threat information. Me, Ive got my feet firmly planted on both sides of the issue, hoping they dont slide too far apart.
This discussion reminds me of something an open-source proponent once told me: “Information should be free, but my time isnt.” That concept should apply here as well.
Information about specific threats should be made widely available, quickly available, and available without charge. It is not acceptable to tell some customers first and others later. While that is bound to occur informally, it shouldnt become a revenue stream.
This prohibition shouldnt stop vendors from doing interesting things with threat information and charging for those services. As an example, lets look at how the National Weather Service makes its information available.
NWS provides weather data in a variety of formats and flavors. It does not charge for this information, although you may have to pay for the bandwidth to receive it. Third-party vendors, such as AccuWeather to choose a well-known example, repackage this information, add their own content and provide additional value-adds on a fee-for-service basis.
Still, the most basic information remains available, for free, from many sources. You dont have to pay for weather information or forecasts, but there are reasons why you may want to.
This seems like a good model for threat information to follow, except that unlike the weather, where the federal government pays for the basic information collection and forecasting, security information gathering is dominated by the private sector, giving it more control.
As an ethical issue, I believe any organization knowing of a significant security threat has a responsibility to properly report it. Vendors have a responsibility to notify their customers or the broad user community, depending upon the nature of the threat.
Vendors responsible for providing solutions to these threats have a responsibility to make them available on a timely basis. While it is acceptable to roll out solutions first to most-vulnerable customers, I dont believe there should be discrimination based on willingness or ability to pay.