ISS and TippingPoint seem to be battling it out publicly over the ethics of hacking contests, buying exploits and responsible disclosure.
This is a discussion that has been a long time coming. Companies like TippingPoint and others who buy zero-day exploits and sponsor hacking for money contests and the like seem to be very shortly distanced from people or companies who release exploit code and tools that make attackers better at what they do.
I think that it is high time that someone holds the ethics of these firms and individuals feet to the fire, so to speak. How companies or people can create attack tools, sponsor the creation of zero-day attack code and teach attack techniques to the public while still saying to customers – “trust and pay us to protect you” seems pretty odd to me. It certainly makes me think of movies where small business owners pay large men with baseball bats for “protection”.
While the bat may have changed to computer code, I just don’t see how making attackers more effective, funding underground research and encouraging attacker behaviors are responsible, ethical and proper for those persons and organizations that claim to be out to protect businesses from such attacks.