The critics speak up
Not everyone agrees. Firas Raouf, chief operating officer of eEye Digital Security, thinks that the business of buying rights to flaw information is a dangerous practice. "We dont believe that finding software vulnerabilities should be a for-profit business. We have a problem with paying for flaws. People should not be rewarded financially with finding flaws. Researchers should consider that finding flaws is an end in itself to make the world a more secure place," Raouf said in an interview."Last year, we released more than 100 public advisories. If you were to hire a team to come up with that volume in a year, it would cost a ton of money. The VCP gives us a very flexible, scaleable business model." Sutton refused to discuss how much money is paid for the rights to a flaw discovery. When the program launched in 2002, the company was offering up to $400 per vulnerability, and eEyes Raouf believes it is now in the range of $3,000 each. "You have to remember there is a very lucrative underground market for this information. Theres a lot of work being done on the organized crime side to get this information, and the prices being offered are quite high," Raouf said. Raouf supports software vendors offering financial incentives, much like the Mozilla Foundations bounty program that pays up to $500 for any critical bug found in the open-source code base. "Finding vulnerabilities should be part of a manufacturers QA [quality assurance] process. Microsoft, for example, is investing a lot of resources on training to help developers write secure code. It has worked quite well for Mozilla to get more professionals picking away at the code," Raouf said. Click here to read more about the debate surrounding iDefenses Vulnerability Contributor Program. "Paying for this kind of information could have some implications. You end up getting people who arent necessarily experts in the field trying to find something and sell it to the highest bidder Once you start this, unless theres a strict process in place to manage it, you may end up with more problems for everyone," Raouf added. A spokeswoman for Microsoft said the company has never paid for information on product bugs from private individuals. "We credit finders who report vulnerabilities under responsible disclosure and, from time to time, [we have] contracted security research companies to review code for products under development," the spokeswoman said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
iDefenses Sutton, however, argued that buying the information is the only way to make flaw discovery a scaleable business.