> Exploits do not come out of nowhere. They can't be scaled with demand.
Why not? All large software projects have flaws. Doesn't more demand for exploits mean more people are going to look for and find them?
> The fundamental moral problem with the market isn't the value being imputed to exploits; it's the lack of value imputed to resilient software.
I think it's both. People shouldn't be selling exploits to entities that will use them offensively. And vendors largely don't care about security as much as they should.
More demand does cause more people to look for exploits. But since there's a finite number of vulnerabilities to be extracted from code, I'm not sure how that's relevant.
Why not? All large software projects have flaws. Doesn't more demand for exploits mean more people are going to look for and find them?
> The fundamental moral problem with the market isn't the value being imputed to exploits; it's the lack of value imputed to resilient software.
I think it's both. People shouldn't be selling exploits to entities that will use them offensively. And vendors largely don't care about security as much as they should.