Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Networking

    Cash for Code: Does it Work?

    By
    Sunil James
    -
    October 29, 2003
    Share
    Facebook
    Twitter
    Linkedin

      In August 2002, iDEFENSE announced its unprecedented and controversial Vulnerability Contributor Program (VCP). Established to meet market need, the VCP protects the critical information infrastructure within organizations of all sectors against an unprecedented incidence of cyber attacks. The model was designed because there was – and for the foreseeable future will be – a need for timely and proactive solutions to prevent damage before it occurs.

      The VCP taps into the abundance of security knowledge about as-yet-undisclosed vulnerabilities, exploits and malicious code found by individuals and security groups. Some of this may be disclosed on an information security-related mailing list, or as the result of a post-mortem analysis of a compromised computer system. In the simplest terms, the program solicits information on new vulnerabilities from researchers willing to trade their intelligence for payment.

      Since the programs launch, the debate among industry watchers, security organizations, members of the hacker underground and vendors has raged loud and wide. Now, more than a year later, the VCP is no less controversial, as I experienced first-hand while attending the 2003 Black Hat Briefings and DefCon 11 events. These two security conferences provided me with a wonderful forum to speak with the programs advocates and critics alike, and to discuss frankly the benefits and risks of the program in the spirit of a shared commitment to a more secure Internet.

      So, what are the issues and who are the players with a vested interest? On one hand, there is the security community at large – the pool of resources that iDEFENSE taps for information. On the other are consumers of the information – those who rely on timely and actionable information. These groups have polar positions on the correct way to disclose vulnerabilities. Purists feel full disclosure of every potential issue is the best way to go, while some members of the black hat community oppose the idea of paying for vulnerabilities and exploit code being circulated in the hacker underground. As with any issue, there is a large degree of gray area around the entire process of responsibly disclosing vulnerabilities to vendors whose products are affected by the threat, giving clients an early warning system and keeping the black hats at bay.

      iDEFENSEs VCP is the industrys first program that attempts to balance all sides by remaining true to its customers while being responsible to vendors and the Internet community at-large. Upon notification of potential new threat, iDEFENSE Labs, the R&D group within the company, tests and verifies the submitted information in a controlled environment.

      The VCP pays security researchers for this advance notification of undisclosed information once it has been verified as a legitimate threat. After iDEFENSE Labs reviews the submitted information, we negotiate the payment amount with the contributor, and agree whether to name him/her or provide anonymity. Once an arrangement for payment has been agreed upon, we work with the contributor to determine the appropriate vendor notification process. iDEFENSE simultaneously notifies its customers and the affected vendor of the disclosed information, and devises mitigation strategies that can be deployed until a vendor patch is issued. Also, all iDEFENSE customers are under strict non-disclosure agreements that prohibit them from disclosing the information provided, thereby giving time for vendors to create patches before the new flaw can be turned into an exploit.

      By streamlining the vendor notification process, researching exploit code, and providing customers with mitigation strategies, iDEFENSE contributes to secure software initiatives by surfacing many underground exploits that would not otherwise have been made public or brought to a vendors attention – until it was too late. To ensure a full and fair process for widespread dissemination of threats, we have published our disclosure policy for all parties to review and understand.

      To date, the VCP has been very successful; the program has unearthed more than 200 new vulnerabilities that have been submitted by dozens of contributors around the world. As the number of vulnerabilities increases each year, todays technology-only approach, i.e. the use of firewalls, intrusion detection systems, and anti-virus software, will not suffice. The VCP offers a window on the evolution of information security solutions, providing a fair and responsible program that allows for the disclosure of new vulnerabilities. It is a cornerstone of tomorrows multi-tiered security platforms and knowledge management frameworks – providing cutting edge intelligence to defend organizations, increasingly important as zero-day exploits loom on the cyber security horizon.

      Sunil James is Director of Aggregated Vulnerability Intelligence for iDEFENSE. He can be reached at sjames@idefense.com.

      Sunil James

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×