Security Watch

Keeping Track of patches and hacks in the IT security world.

New Firm Eager to Slap Patents on Security Patches

Security researchers, are you tired of handing your vulnerability discoveries over to your employer, as if that were what you're paid to do? Helping vendors securing their products—for free—so that their users won't be endangered by new vulnerabilities? Showing your hacking prowess off to your friends, groveling for security jobs or selling your raw discoveries to middlemen for a fraction—a pittance—of their real value?

Take heart, underappreciated, unremunerated vassals, for a new firm is offering to work with you on a vulnerability patch that they will then patent and go to court to defend. You'll split the profits with the firm, Intellectual Weapons, if they manage to sell the patch to the vendor. The firm may also try to patent any adaptations to an intrusion detection system or any other third-party software aimed at dealing with the vulnerability, so rest assured, there are many parties from which to potentially squeeze payoff.

Intellectual Weapons is offering to accept vulnerabilities you've discovered, as long as you haven't told anyone else, haven't discovered the vulnerability through illegal means or have any legal responsibility to tell a vendor about the vulnerability.

Also, the vulnerability has to be profitable—the product must be "highly valuable," according to the firm's site, "especially as a percentage of the vendor's revenue." The product can't be up for upcoming phaseout—after all, the system takes, on average, seven years to churn out a new patent. The vendor has to have deep pockets so it can pay damages, and your solution has to be simple enough to be explained to a jury.

Because goodness, you will be looking at juries and lawyers, you can count on that. Intellectual Weapons says this isn't for everybody. The firm says it "fully [anticipates] major battles."

"We need people who have the emotional stability and the tenacity to persevere with each project—from describing the vulnerability, and helping develop the fix, through to generating and enforcing the IP," the firm states on its site.

Patenting may be a new twist, but the idea of profiteering from vulnerabilities is nothing new. iDefense Labs has its Vulnerability Contributor Program, and TippingPoint has its Zero Day Initiative. Even the Mozilla Foundation tried it, although of course the open-source software project dedicated funds to bugs found in only its own code.

The blogosphere is frothing.

"Nice. The race to the bottom started by [TippingPoint parent company] 3Com and [iDefense] is now complete. I for one hope that Matasano is able to use this idea in regards to a TippingPoint vulnerability," wrote Chris_BJune in a response to a blog from security firm Matasano's Thomas Ptacek.

According to Ptacek, the reasons why nobody should care about Intellectual Weapons includes the fact that the time required to complete a patent filing is over seven years. Add on to that the years it will take to "initiate, litigate and prevail in a patent claim, especially against an established software vendor," Ptacek said. "Presuming you do prevail; you likely won't."

Intellectual Weapons has plans to deal with these inconveniences, however. The company says that it may try to use a Petition to Make Special in order to speed up the examination process when filing a U.S. patent. Another strategy the firm proposes using is to go after a utility model rather than a patent—a utility model being similar to a patent but easier to obtain and of shorter duration—typically six to 10 years.

"In most countries where utility model protection is available, patent offices do not examine applications as to substance prior to registration," the company says. "This means that the registration process is often significantly simpler, cheaper and faster. The requirements for acquiring a utility model are less stringent than for patents."

Ptacek calls utility models "patents-lite." Other nicknames are "petty patent," "minor patent" and "small patent." Such patent workarounds are available in some EU countries and other countries including Argentina, China, Malaysia, Mexico, Morocco, Philippines, Poland, Russia, South Korea and Uzbekistan.

"Would it be [possible] for an outfit like 'Intellectual Weapons,' exploiting the services of contingency-fee lawyers, to get an injunction against a Microsoft security fix in the Republic of Moldova? Anything's possible," Ptacek said.

He doesn't believe it will happen, however, given that international patents have to be fought jurisdiction by jurisdiction. "In this case, you'd be slogging through those fights for a shot at a tiny sliver of the revenue generated by the products you're targeting. This is nothing like NTP vs. RIM, where NTP's claims enabled RIM's entire product."