Presenting vulnerabilities and patches as IP

A company called Intellectual Weapons wants to sell your vulnerabilities and the patches that fix them for the a lot of money, in order to do that they want to patent any vulnerability and patch combinations they get their hands on, so that anyone using that vulnerability or patch will be required to pay them money.

This sounds like a spinoff from the idea behind iDEFENSE.

But sounds a lot worse, as they plan on suing anyone patching their system without paying them royalties. I can’t emphasize how bad this sounds, but it reminds me of bad ideas, for example BlueSecurity’s approach to fighting spam with an attack on the spammers.

Share
  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    The comparison to Blue Security seems like an ad hominem and it’s (IMHO) not the best.

    A better comparison is pharmaceutical patents, which keep medication prices artificially high for an extended period under the guise of rewarding innovators. Reasonable or not, it keeps people who can’t afford to pay the higher price from getting the medication.

    Intellectual Weapons won’t make much; they’d be devoured by “compulsory licenses” granted by governments claiming a public safety interest in overruling the patent holder… that is, assuming vulnerability information is patentable at all.

  • http://www.BeyondSecurity.com noam

    Matthew of course you are right, the better example is pharmaceutical companies, but the idea I had with the comparison is the way you take a good idea, i.e. paying someone to find vulnerabilities – I think its a good idea – and mixing up what you do with it, i.e. ask people to pay for the privilege to get be secured.

  • http://xenomuta.blogspot.com XenoMuta

    In my opinion, the worst case scenario, they might patent the exploit code for certain vulnerability, but there’s no way they’ll get to own patches. It’s way to ambiguous. Let alone alternative binary diffing …