HP buys 3COM: how will that impact ZDI?
What happens if your job is to sell to customers information about embarrassing vendor vulnerabilities, and then your company gets bought by one of the vendors you are reporting about?
Going back to cheesy analogies this is the age old question, can god create a stone so heavy that he cannot lift?
The case in question is HP buying 3COM (which owns the Zero Day initiative), and as HD Moore correctly pointed out there’s bound to be some conflict there.
This will be an interesting match to watch. First, the stone is very heavy. Knowing the ZDI team (*) they have been very successful at staying independent inside the huge 3com corporate, and my money would be on them succeeding to do it again.
But when we ask if HP can lift this proverbial stone, lets remember that HP was the only large vendor to pull out the nuclear weapon of threatening to sue a security researcher for making their flaws public. Now it’s a group within their own organization, selling information about unfixed HP flaws to paying customers, and paying the same researchers HP wanted to sue 7 years ago.
(*) Full Disclosure: We run an alternative service to ZDI called SecuriTeam Secure Disclosure. That doesn’t take anything from my respect to the ZDI guys and what they’ve been doing.