Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Paying for Flaws: Undermining Security or Rewarding Good Deeds?



 By: Ryan Naraine
2005-07-25
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
News Analysis: Tipping Point's new Zero Day Initiative has validated the market for buying information on security flaws from underground hackers. However, some in the security research community still balk at the idea.

3Com Corp.s announcement that its Tipping Point division would start paying for the rights to security flaw information found by private researchers has reignited an old debate: Should underground hackers benefit from breaking into software systems?

Tipping Points new ZDI (Zero Day Initiative), which will take center stage at the Black Hat Briefings in Las Vegas later this week, effectively validates the market for rewarding members of the digital underground, but Internet security experts argue that the practice undermines the principle of responsibly reporting vulnerabilities directly to software vendors.

For many, the business of finding software vulnerabilities should never be a for-profit exercise.

"People should never be rewarded for breaking into software and finding weaknesses. They should do it out of a need to create a more secure environment for everyone," said one researcher, who declined to be identified.

"The more we see these companies throwing money at underground hackers, the more it creates an unstable environment where the software vendor will be held to ransom."

That reaction isnt uncommon. In a recent interview with Ziff Davis Internet news, chief operating officer of eEye Digital Security Firas Raouf said his company had a fundamental objection to paying for security flaws.

"You end up getting people who arent necessarily experts in the field trying to find something and sell it to the highest bidder … Once you start this, unless theres a strict process in place to manage it, you may end up with more problems for everyone," Raouf said.

Click here to read more about VeriSign Inc.s plan to acquire security intelligence firm iDefense.

iDefense Inc., the security intelligence firm that was recently acquired by Verisign Inc., was the first to tap into the market for security flaw information.

The companys 3-year-old VCP (Vulnerability Contributor Program) involves financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code to iDefense.

Resource Library:

Since the launch of the VCP, more than 80 percent of all vulnerabilities reported by iDefense were purchased from private, sometimes anonymous, software researchers, according to Michael Sutton, director of iDefense Labs.

In an interview, Sutton said more than 1,100 vulnerabilities have been submitted to the VCP by more than 200 security researchers.

Of that total, about 50 percent are validated as legitimate security flaws.

Once validated, iDefense will pay an undisclosed sum for the exclusive intellectual property rights to the research.

"This program works very well. The researchers make money for their work, the vendors get the benefit of responsible advance notices, and the end users get well-tested patches," Sutton said.

Read more here about iDefenses strategy and reverse engineering.

"Its not surprising to see Tipping Point launch a similar program. Weve been a pioneer with this concept, and weve had incredible success over the years. When you run a successful program, you have to expect competition," he said.

"It really validates what weve been doing with the VCP. It just shows theres a big demand for vulnerability information and provides a big incentive for researchers who spend hours finding security flaws," Sutton added.

Thor Larholm, senior security researcher at PivX Solutions LLC, isnt quite happy with the way iDefense resells the flaw information it purchases, but agrees that paying for flaw information will become the norm once others enter the business.

"Five years ago, it used to be a big deal for a researcher to get credited in a Microsoft bulleting. Were well past those days. People want to be compensated for the work they do, and these programs offer real incentives," Larholm said, noting that the discovery of a bug in a widely deployed Internet-facing application could net a researcher a sum in the range of $6,000.

iDefenses Sutton declined to discuss the price point for flaw information. "We dont discuss pricing, but I can tell you theres real value in that information."

Larholm believes the Tipping Point and iDefense initiatives will push software vendors like Microsoft Corp. into paying for bugs found by outside researchers.

The software giant says it has never paid for information from private individuals.

"We credit finders who report vulnerabilities under responsible disclosure and, from time to time, [we have] contracted security research companies to review code for products under development," a company spokesperson said recently.

Larholm believes its only a matter of time before Microsoft shifts its thinking.

"It would require a cultural change within Microsoft, but I think its a change that will eventually happen. If there are other avenues for researchers to get paid for their work, very few people will be going to Microsoft directly. Its up to Microsoft to figure out whether they want that information in the hands of iDefense and Tipping Point customers before they can get a patch released."

"When a researcher works with Microsoft today, all they get is their name buried deep in a bulletin. In the past, researchers were happy to get the fame and notoriety, but that has changed. It has become hard work to find flaws because vendors are taking security more and more seriously. Today, it calls for heavy reverse-engineering and long days of work to crack into a product. These guys are looking to get paid," Larholm added.

iDefenses Sutton thinks Microsoft and other big-name vendors like Apple Computer Inc., Oracle Corp., IBM Corp. and Sun Microsystems Inc. should all think about paying for external vulnerability research.

"People who uncover vulnerabilities have skills that are sought-after. The VCP has been successful for three years because there is value in that information. Tipping Point is launching a program because there is a market for the research. I believe those researchers have a right to profit from their skills. Its unfair to expect people to take time to find vulnerabilities and then give it away for free. The days of being happy with a mention in a Microsoft bulletin is long gone," Sutton added.

"If Microsoft was to start such a program, it would be a good thing. You cant expect quality assurance work for free anymore."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Paying for Flaws: Undermining Security or Rewarding Good Deeds?
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}vH9NcO[Hs)m\f6Czw+Dj I# T;qKu~:eC^"3##"####y$ [ֈ\ڃIIvbz]zo/K$[_C1ǵ(ː[(SMHwG iZFOL> \?A,[Y| tjGt0.Sc4k[c2"ײ1Fԓo͍a21X Mk@a:*VOu`ϟ$1qD*Z|9"?)B#lTIPޤàж|3P=(ҷ}ߞĉ }!*Ka>"Jk4ދOᐨQGVsoeY (qw-̪r`x͎Hߴ;ikP;EyAeh/@Zk #LHȾRs= d#;3{R'͡dUH9HЇ(@n S*PVf0;kh>4Kk cǶ<ۥ1|CH &\?ZQM9$7 \hypӧ$@',ۢ,lO`e[پxkȵL]swb.pF,U.M @&ާ4ja[إZr$ 7馡,˺yWͫa(BtVwCgvr=ywך~\(%5WU:C|q뛚um1>xM0v}%WO͋r~@.{A~Aw" DT.jT(T'q"0i>tt4[NBN$:DFI7l;|#rxpX+j TzZ츆G`% pbQU<ϦUys}4Iyr~|j!|'9ĠSIBeIquU_[z\= mv '&l M t4<[TyiI>Ժx|:!Io '|=%w//!]W<fr*C2q/lw$woGbeQc5saM<`~xƀm ȄcPu tZC;J|ڒNmҘj>RB„ԸeNR$9Vˠȟ"Wi8@rDXSl \y`_ߋ3X U >YtFM)N}%N !F\r/QE KH@!F!8N!8Q%Kuu7py@WgfyQ(/YWf<#=Pp55ݏ7Sҹn_u47aE"yƆƇsEHY7wI0aIms1_.Fnm" {2  yv[=gn0\ė<2_O#iu E~hB=Us 'A|5 i!S'XefufcVҒre&Fn(2/%K|*~ (>=u}ã E݋+)q -h8E/4-eUZ0+%afsP,{ :Rj//H"om^¼xSԧVR kυ%2=T@Qr,tx Eø7vz({=Tc( X?ռ\Pe?ȄiDkYUy%_aڹc[ t@ r'4 p} 2 1P&^OgYzP?tm|$}r;| 4p>uyz 2Dm/B)h sXZQccm1L8.xd&, ,[b)36gЬabag9k.n UC^Ha:nMV!҅ LtDm #<ÜB{Wsm 1X@E^dX**Up?~6=2ne"PY΀>mRemӴ1'j5Yf$pFi8Z"48]rɭ™ѧr6|j 0BBȋC۝xy0aм+zm j#h[!p[۞*L6Bmd&v@ ]=2$!UT6fbD ֚G5W#OcS!as>ADbV$\P`t>**2:WDX060n) hRU∛.E^nzZ K,`:ThBPݏP1gxyd{.3I\)*ztKZ,WrkT| }S/7]ex %PٳC~y6sλnnA1pY9[Jzv^Z1:?.f; 3lF@=& &{%Kn!|o=B:~ B}tl#e $$WZ2t 0rA,C7M  LE :McۧԻCaOW93jHfh2 ތSÍP<ϾNj-z-b_@T|X)9mxAPTkf1"eH!c ҧ>дo%\%Lc(V O篌 +˦ +RSJ, 86"u޼Fvr}~!Yh:93ir528k-_gÇӞr em78\Yq\6ƹ (xerU5|W4u 40 SOAqu(*=!!+X5vgfyXc2 09L|K 5vVCiXu_VŭGl䄻% "KC?.zKdD|yfZ+>[W@a9k\JQ) qUEbT)HÞ1L=Mm=YN8Ɖw{6J>ReʔoS YMiq#4.Ҁ^6.31fEl_/c~p)T%$NT.;UM\Z~N, bQrC5Y3rŏjȏr_E+N$}"=U,L>XCU\(E%&f!WB!& B 7lIJ~\+ᘃ{Lw9 M$?WL?W\aniz_HƙA>=l[.K; 3Kc01⾆b䓃RQ-ݥ @.8IVWP~ŀ@ yciߜ6o8s0| _k%<3 nX J^]9јToUkn!ɕ+tR- T1@KLF:{ntE bTJ/؟RBI QV#=.#_Di}D 1_o{o)?Oů1OkwtAx[(+p :dkJ=/ IQ?xHؾhu&eO}쮒$-_"TS(Z!*rڞS)Z@c}OӆO|^BBQJ;1գxLe~=m02l]3%<0KMuN$dJ@/ =)!ۓ8-q^Oyq(KQ{3>e tޜ,Hq9Yi@ylZӽM3BJ$e=sf[E KPk I"X) # |8B[,kH Tq)jݷʪ_> 6o<`H v9ϩJ,c2KIs֝a *6;[T@(NV1k- ,]wOz,EoIM2K}Ȉ]1A/gp9KR>fx/$4n%x9wy!+Up"~%5a˸+ lvX\)ā= !mrEyCW qW;ɏ$Q tD{Uc˿M>@uA*3GI,i4 9gJ{촚ٽzMfC[$K(eJٽdZvimơ8- zNd$$$9U2;˞XDVeΜtՑNx90X%h7YM(f`^/yaҢ99Qw!F.572v UC.^-˸a]f+ O}s,eEK%rs\5"n'x+Z(|eUj h&v?KYޟ;K &bi8W=Th6wSZ~D RdgnFze/a<7|5Zfؙqfd"Lư2zǡ` ܍1³D`H@7вN}t՟Q9y7C|1ɐɂO ɥ@րZ U+b'v+P_61z @Y&DY= ]kRО#ts)pI˂5 ;AW;"! Hh. LO^Ie`[]en.0\IRZދ_K!t& 4%P b^7m@5rc K ڃBO ۢ'$@QPZmɭ"+[q',5l$u16 oxJEQcr'5ՔK l/L8d" jeZ}j:*Ѽ =#gUߊ6˒J)m(8"'ᗼ¸n,>h@ڮtnF&E#WeVy*[j}]'JqSB)>Cq2O@BQQ`,_ t&Rѡϭ2R\,y1&ZA@2XtqE@$=E~^M=lE dXڔ K/%bV>SvH'ǁ>x=F-o-JUaM.5Ǩg߄zd}MԳ/?-:tK- swLH'iKBQ#TP@6[>n1C UtB$f¦+F/^nZnZnZnZJxp|j$^J'ę)N4םI/u:lԔxxQ`l쉀ujGل#DG"x@_.:F7H$u] SKxH" !HD2B*{tۓ0TF ib-l3+jt9ZI%X P|(҉A=r9#XjpYD*| ϋ&o$nafJ6htCubs5eP5EAh$IQ,(Aߎ4xID Z8yeAfS_nE}MPB3+F]߸膔 "/2 R[,/KbMF9/[TZ> g*K:c& ;3cutB 9슐$"J L6a@Fp)h?*ݛ;j~}}}}㶻|PQm]xSI-Jx1e )LڠI@:ѵڼ1a/^t§,=$!^gV^+m [mm Ҷ@U0F7$ 5.:|g$&EBXDC=aqFoJOA@ ^xFiYDHW6~gO=dև]{y)CUHX # rDU9_ۢӸDs@q's# VOB x0I/·͛=coZ[K y=r j6_mqF3\i [n=w6uvq@}qO {3+E|#C;C@K!.WWh̓F) M`c؎fGP>%d`qһZ 9DD+Cn\9d q;K3"}ߴB>WV4Q ߰8ư< <բ80H~u|zmYΥ.KeQX|j|z?cea%N{-vh܇バ#IԬD5VfXw)h%"Q0Mg` 8aY@o1b ,᫿zrTe~vγYbL`W:wռʿH noQ(gPu<aʀ{h490fXLS&p6]oހ\<@K!Y̌P&nsMwmvǭ>I=hT1V87I?ϵ}e?_W,[DU+ R_<:?%8ȨQAH5-ɹ#PxuDg:D?(fz#<Ò5#⟎IZ.'1sNb+]ĐX56 ;"'y#Hdo$ 3?4PZ>lӤ;>Dv QOPV4 94(&Jbido$Fd9~`D4aeI|I|k @`j 5&$|#@ )q/1ć> "K.'p#($o݉f. =9?l*b6  +x)}1|Y9Ts.Z`q'>f;R dbb7S>ѝ^$@O! ׶z sđT6#=A?^YrR~0<.^ahZ<+ qL"&Nư9,2}a^!ꆆ_وua\JFQ{R7y(`e:eRˇh9|j42q)mD!Lj{xbbF MM;P}7Y?dwa'thG!cdh]6b{D05vZEA'ǸOK ˊ\X+=~sm=g6Fešu޴61sS.99D#M9'*k7WP)#uB~b }O ,nZ?れF <"m 7nrlƘ[v Œ5"t|cCמRzwu)ങ'?g)y!V~Z:[)пVJ>ӺJɇRϫ/E |X)s L%LL%2?0˔_}^%e }"^J?@?R/!2%*e~R *evJ ) "_>S_ԿI22._7B?}}LO)-)e|Rw i@){ ߦ wBNR!oY7NoxpSq K /ꗁa uu)@~ NNlcS\*dL IsԿ2~6RAk]O qʕx>9 s[NRse|2Y&K񫙘U4,1Ah b{Heÿ~VPb构u]c\Lr!{] 7eM'ik(s3gg=U#L"{珶ÓxwY.-/9“-P.}IkwecqٞKjo\gU$=l[$$q`tg}#2w\q_cNMn UwxdtR+O6k*85Ϙ8:RL7`I1zIv{>fpOߨ\17p?l{6馁$5q}ter)SaG;A$:>Lt@Լ*R!=f`%xP,g/g2l]gJ 9=v͐Ga0Voѕ !'\BH#td૿֠&ϫXڼxTsc;WI%A#?@(s0TߙF$llB}9=zM7^oa2iV՞ٕz"n4PNwz2hS_4ǭaFr܃x3xMFZ=*Ȟ{J=Ci_ H2.'` N4Gȥ`" >o^ߺ'] NG* XV2Y8бfYgծ'kjw\;a[Ɛcļ*\G'V!-!ߋYry;sdeXx7O{aw:./ C/lca.6Še @脸 VSp[ܩ/vvVQupؘ1hOz|}kd>Lk cNP-c퉜PFĊOrLHmCr؁( G'޳Jft<׶'K6`{wiW.t^",x`mO ɘ&]R o"k-x^ȗApkN,LCO sg§ 0MHKfAl!|aXGuw}CIg恚" ި.~2gIkm=x K %$I S݁:1t^mɡPgIl@ XV' A'|NbOh-xYe7gMc׶hLXDxX{aFht[A$n]3R:cBݺ&ۜ D|xkjød|EBUmk} 1 _KxĠ})`e hqrF߮EWg_6 b gy&"5@ g^lVxSLN=5mczl0)u+9نW.O._oe@DV?zz6 ~5"/}|TLlsDo K u@AekN?iI3۱z Vv֒gƶ CBز\"I.~;T (UXw|6(68|%K' ϽyHju(tF݆ϩfcbyyPޙai./[vLV88ڶRKA=0 Oe`[` ƴ8 [/uԝ@ dd>6miM*.C2L_vs[/B`Ei3{|@  o`PsK ea$itd1S[g-;h b yuKy!OO1W +X>(oۉP#jȥ(-` jz+7DmYtl{A`=>gzC%`*&6a]`p8 te0QLF鄅6s5`?U`2 ߿Z.$AcD5ȱ`,ӊHv"V䜔KLΡnbNqQ!>d>}GjF7L dZ\?م4&εCg%?8 } }{ ŗ$VSX7!Z#^445k4Y}‡(;Awq.8O<{{䏝7ƐF#?q w}/{UQjA7jݎq?wPe^g0u{ bcE%@4X xy3v!?@iBۉZ;Jp8_1=/_st RF`w,}K5jP#/U_~B8ߍ}ήK*{Zdx Uu _ϱb.Ոc󧮕  H0]55M}e2(CT=U38Li'+,H}YR߰dxE2~-]guj4_*(~sZX5谲/Y9|TMzLh?w ^;;1C;,}bY";REHd_\|U0A]U8`~2=>?te*|ތWc f>}EM1e2†B0#a7kM'}f A,_ٖjr}/T'7W"4!bOu( ^&?LV%ޏuDwbi5I,,l=С& j/`77*9<`2 w[X=8 ݟv{x,su0ɲWGYqY8ȽYWa̻ W}k(#@{+-Ub: 8$_/ǞU}tBȠ"i9,H=ux|u=V᱇3lB =j5XPCB׳`/6bA" -v;"R'ky^TZC3\ H[[$+ȅw.xΟ;1-u~!YQ /\"s?s} +H=9nʉoIēCBnMmOs\ ` 4zl\V<І$B}u9X68>FK޹=[xZrw:nQVfɮ}^ֵϛv _yI_1\T@CDT2iyo_/m@?̭9HHMAe wlo&.RQ4X0[}۞icX-GwU$7+Qo2{B#^^p)u0fŞGvrLb1@)pͷxuPQּFH<_bv_3I e'L07Ic_& A bS Ke=!dz2^sҫ,xޅWX[ዷ0Co LK尝챫 ytpǑ2>A0A^g;Oa$_aDSRJGJ`B9_:TiJ0-J57\&P8~;X6E&507:K' LaۑtbvHP(z=Z}Ҿh%aǍoN4:xD+ʴoNI BVqzںz/y+׷͆] Y P͗X4߷ -b<>zrT `eZvcع^f6A_Uȁ\SK+ ǔKˌwcFDOe`V&:e/a?d<