Apparently this firm wants crackers to tell them about 0days they find so that they can jointly develop and patent a fix. They then want to license that fix to the original software vendor and sue anyone who uses knowledge of the fix without a license.
- Useful or industrially applicable
Let’s look at those in reverse order. Useful or industrially applicable would be pretty easy to demonstrate. Fixes to security bugs are certainly helpful in maintaining system security and industry requires security these days. Great work, Intellectual Weapons.
Inventive is going to be a tough one. This is also described as non-obvious. If you look at most buffer overflow flaws in applications the fix consists of “replace gets() with fgets(). That isn’t terribly inventive, nor non-obvious. Some more subtle bugs might need to have more involved fixes, I suppose, but the most common security flaws have pretty standard fixes and unless whole new algorithms had to be invented I don’t suspect these fixes will be terribly inventive.
Finally “new” is a real killer for this idea. As mentioned above, there are plenty of examples and patterns for fixing security bugs so there is going to be a tremendous amount of prior art out there.
They have an FAQ with all sorts of answers why the glaring flaws in their idea can be worked around but most of this looks like bunk. I have dealt with the US Patent and Trademark Office before and they are almost unbelievably slow. Even their simple and expedited services are too slow for this idea to be workable.
This has to be a hoax. It did serve to get me all riled up on a Friday, though. Bravo!
dan _at_ denimgroup.com