Immunity, which buys but does not disclose zero-day bugs, keeps tabs on how long the bugs it buys last before they are made public or patched. While the average bug has a lifespan of 348 days, the shortest-lived bugs are made public in 99 days. Those with the longest lifespan remain undetected for 1,080 days, or nearly three years, Aitel said.
“Bugs die when they go public, and they die when they get patched,” she said.
So, by “buying but not disclosing” these bugs, they’re preventing bugs from dying, by that logic – the only avenue left is for the bugs to get patched.
Fortunately, no, because although Immunity’s business model is based largely around keeping the rest of the world in the dark about new vulnerabilities as they notify their customers how to protect against them, it does seem from Microsoft’s Security Bulletins as though they report these vulnerabilities to Microsoft.
I hope Microsoft didn’t have to become a customer in order to get that information, though, because that would mean that it’s Immunity’s policy to keep bugs alive.
What happens if they find a bug in my software? Will I be told?