Security by economic obfuscation
This is how Chris Hoff is calling the fact that vulnerability researchers don’t spend time looking for holes in commercial (and expensive) software products, like virtualization platforms.
I think we are living with this for a long time. I can mention mainframe software (even without buying hardware researchers could run it on emulators like Hercules), ERP systems (SAP) and Application Servers, like Oracle and IBM, as software that is not receiving the proper attention from vulnerability researchers. I’m pretty sure that a lot of interesting vulnerabilities would arise with more research was focused at them, but their licenses prices are too aggressive to allow more people to install and test them.
