Let's put it clear. I am a supporter of full disclosure, after all, criminals have motivation to detect and keep bugs to themselves.

But I must also say that I fully support the point defended Dino Dai Zovi and some of our peers when they say that researching security bugs should be a paid job.

As Camp and Wolfram noted bugs can be considered negative externalities, in this case, a situation where the producer weak quality control has negative "economic consequences for others for which there is no compensation". At the same time, economists agree that the originator of the negative externality will not take it in consideration unless prevented or discouraged, therefore producing more faulty software than it would, had it have to pay for the cost of testing it.

The problem isn't Dino Dai Zovi belief that he should be paid, he should. If he doesn't charge, companies will keep doing wrong and providing software improperly coded under the cloak of "innovation". Also it's not about greed, after all competition tends to reduce Dino's profit, no wonder the brilliant researcher is chasing after other subjects…

The problem is the lack of transparency on the vulnerability exchange markets.

Who buys the vulnerabilities? For what purpose?

Well… I'm not sure we want the answers.