Cash for Code: Does it Work?

Some may feel that paying "researchers" to come up with new vulnerabilities creates bad incentives, but iDEFENSE argues that its Vulnerability Contributor Program (VCP) serves its clients and the community as a whole.

In August 2002, iDEFENSE announced its unprecedented and controversial Vulnerability Contributor Program (VCP). Established to meet market need, the VCP protects the critical information infrastructure within organizations of all sectors against an unprecedented incidence of cyber attacks. The model was designed because there was - and for the foreseeable future will be - a need for timely and proactive solutions to prevent damage before it occurs.

The VCP taps into the abundance of security knowledge about as-yet-undisclosed vulnerabilities, exploits and malicious code found by individuals and security groups. Some of this may be disclosed on an information security-related mailing list, or as the result of a post-mortem analysis of a compromised computer system. In the simplest terms, the program solicits information on new vulnerabilities from researchers willing to trade their intelligence for payment.

Since the programs launch, the debate among industry watchers, security organizations, members of the hacker underground and vendors has raged loud and wide. Now, more than a year later, the VCP is no less controversial, as I experienced first-hand while attending the 2003 Black Hat Briefings and DefCon 11 events. These two security conferences provided me with a wonderful forum to speak with the programs advocates and critics alike, and to discuss frankly the benefits and risks of the program in the spirit of a shared commitment to a more secure Internet.

So, what are the issues and who are the players with a vested interest? On one hand, there is the security community at large - the pool of resources that iDEFENSE taps for information. On the other are consumers of the information - those who rely on timely and actionable information. These groups have polar positions on the correct way to disclose vulnerabilities. Purists feel full disclosure of every potential issue is the best way to go, while some members of the black hat community oppose the idea of paying for vulnerabilities and exploit code being circulated in the hacker underground. As with any issue, there is a large degree of gray area around the entire process of responsibly disclosing vulnerabilities to vendors whose products are affected by the threat, giving clients an early warning system and keeping the black hats at bay.

iDEFENSEs VCP is the industrys first program that attempts to balance all sides by remaining true to its customers while being responsible to vendors and the Internet community at-large. Upon notification of potential new threat, iDEFENSE Labs, the R&D group within the company, tests and verifies the submitted information in a controlled environment.

The VCP pays security researchers for this advance notification of undisclosed information once it has been verified as a legitimate threat. After iDEFENSE Labs reviews the submitted information, we negotiate the payment amount with the contributor, and agree whether to name him/her or provide anonymity. Once an arrangement for payment has been agreed upon, we work with the contributor to determine the appropriate vendor notification process. iDEFENSE simultaneously notifies its customers and the affected vendor of the disclosed information, and devises mitigation strategies that can be deployed until a vendor patch is issued. Also, all iDEFENSE customers are under strict non-disclosure agreements that prohibit them from disclosing the information provided, thereby giving time for vendors to create patches before the new flaw can be turned into an exploit.

By streamlining the vendor notification process, researching exploit code, and providing customers with mitigation strategies, iDEFENSE contributes to secure software initiatives by surfacing many underground exploits that would not otherwise have been made public or brought to a vendors attention - until it was too late. To ensure a full and fair process for widespread dissemination of threats, we have published our disclosure policy for all parties to review and understand.

To date, the VCP has been very successful; the program has unearthed more than 200 new vulnerabilities that have been submitted by dozens of contributors around the world. As the number of vulnerabilities increases each year, todays technology-only approach, i.e. the use of firewalls, intrusion detection systems, and anti-virus software, will not suffice. The VCP offers a window on the evolution of information security solutions, providing a fair and responsible program that allows for the disclosure of new vulnerabilities. It is a cornerstone of tomorrows multi-tiered security platforms and knowledge management frameworks - providing cutting edge intelligence to defend organizations, increasingly important as zero-day exploits loom on the cyber security horizon.

Sunil James is Director of Aggregated Vulnerability Intelligence for iDEFENSE. He can be reached at