When Disclosure Works Against
Security Researchers"> Charlie Miller, a consultant for Independent Security Evaluators, in Baltimore, Md., is one of those security researchers who want to be reimbursed for their time. After finding a bug in the open-source application Samba in 2005, he tried to sell it to the usual suspects: the security firms who would have lost out if attackers had exploited the weakness. The problem Miller found was that he had no idea what the Samba flaw was worth. He eventually wound up selling the bug in 2006 to a U.S. government contractor for a respectable $50,000, but even now hes not sure he got a fair price.Would an auction site have gotten Miller a better price? Thats the ultimate question, he said. "In theory, it would seem that the open market would benefit me," he said in an e-mail exchange with eWEEK. "However, I know some buyers would not use the site, limiting the potential bidders." For example, with his Samba exploit, Miller wanted to offer it to iDefense and TippingPoint to see what they would offer, "just out of curiosity," he said. The ultimate buyer told him that if he did contact the vulnerability brokers, it would reduce the value of his finding, since more people would know about it. Wabisabilabi is the perfect example of how disclosure can work against a security researcher. Its epitomized in what has happened since the auction site first listed the flaw for the GPG plugin to Squirrelmail Version 2.0. Even though the site gave scant details to describe the vulnerability, namely that it is a command injection, the information was specific enough to Miller and other researchers that theyve been able to determine what the bug most likely is. "Looking at [the flaw and its potential location in Squirrelmail code] for 10 minutes, it looks like the exec in gpg_sign_attachment() where shell meta characters are in $passphrase," Miller wrote on the Daily Dave blog. "The MKPortal one looks pretty easy to find too. Its nice for someone to point these bugs out so we can go look for them!" In fact, the GPG plugin in the last day or two released a new version, 2.1, Miller pointed out, which likely spoiled the Wabisabilabi auction for the item. "They get $0 now but may have gotten a couple hundred bucks from TippingPoint," Miller said in his interview with eWEEK. Click here for a look inside the mind of a hacker. Zampariolo admits that Wabisabilabi is always going to be vulnerable to having researchers work out vulnerabilities on their own, based on the information the auction site provides. "Were always in the middle," he said. "Were always sure [well] make some mistakes. Sometimes [well] publish so much that somebody in the field can discover [the vulnerability details] and go ahead [and publish them]." Wabisabilabi is counting on some level of laziness to float its business. Some amount of researchers will be either too lazy or simply unable to figure out the flaw details from the details listed on the auction site. "If you want the Squirrelmail vulnerability, youre spending 500 bucks. If youre very smart [and figure it out on your own], OK, I will cheer to that," he said. "Were between the fire and the frying pan." At any rate, Dave Aitel, founder of Immunity, agrees that its hard to value a vulnerability or exploit without seeing it. "Its hard to even know if there is a vulnerability without testing an exploit, which makes this sort of model really hard," he said in an e-mail exchange. "Immunity relies on getting familiar with our suppliers so we dont have to pre-vet everything." Besides, Aitel said, the timing can be tricky with vulnerability purchases. "How do buyers know that the vulnerability wasnt sold to someone else immediately before going onto the auction site? Obviously they dont, which is going to lower the value of any bug sold," he said. The auction mechanism is therefore useful for low-value bugs, Aitel said, but not as useful for anything of higher value. Besides, he said, Wabisabilabis prices are "way too high" for low-value vulnerabilities, which is why no one is currently bidding, he said. The sticking point for TippingPoints Forslof is Wabisabilabis lack of transparency. "You dont know who the guys are, whos backing it, whos funding [the flaws]," she said in an interview with eWEEK. Next Page: The ethics of selling vulnerabilities.
What Miller does know is that the longer he waited, the less value the vulnerability would have, given the likelihood that it would be discovered elsewhere or even patched by Samba.