paying for security updates

[pdurbin]

Is software for the greater good if you have to pay for security updates? I mean you can run the "community" version for free but there are known vulnerabilities in it (CVEs) and the way to stay secure is to switch to the version that's commercially supported. Does this have anything to do with the Greater Good Affirmation?

[vsoch]

I can't answer these questions if there isn't clear definition for what it means to be "for the greater good" in the first place. My gut says that denying a security update, if there is risk of harm, is not a moral thing to do.

[Beanow]

Recently I posted a good 'ol rant on a similar thought here sfosc/sfosc#33 (comment)

I was using John Rawls' veil of ignorance game as a framework to decide on whether you have a moral duty to build software with security in mind.

The conclusion I came to was:

My conclusion

I think Rawls theory doesn't compel you to try very hard at making the software secure. But it has great benefits, so it's a good idea to try anyway. Optional but worthwhile.

But I do think it says you:

• MUST try and get vulnerabilities fixed and publicly disclosed when discovered.
• SHOULD have a responsible disclosure process in place.
• SHOULD want the guarantees of the responsible disclosure to be as strong as possible to reduce risk and ensure timely fixes and public disclosure.

Note: that first one implies you have a continuous moral obligation to make the fix and public disclosure happen. And not just the person who found it, everyone. You should pressure, lobby, monitor, or whatever other means you have available to make this process the best it can be.

Can you get away with not setting up responsible disclosure?
Well theoretically, I'd say yes. If no vulnerability is ever found, the process wouldn't make a difference. You're actually paying an opportunity cost for setting it up. But even a mostly effective hastily put together process beats none. And the cost for that is reading a few pages of background info, copy pasting a standard text into your repo and setting up a disclosure address.
It's like making regular backups, you're probably making excuses why you aren't and even a crappy backup is better than none.

At the crux of it is: "It [security patches] is to be to the greatest advantage of the least advantaged members of society". So I would say, withholding fixes for security problems is not the right thing to do with this framework in mind.

Not using the framework I would still think this isn't a very moral practice. You're deliberately creating an unequal playing field and trying to monetize that at the expense of security.