Buy and Tell: TippingPoint to Disclose Purchased Flaws

A security company that pays hackers for information on security vulnerabilities and exploits plans to release a list of 29 unpatched flaws in products sold by Microsoft, IBM, Apple, Novell, Adobe, AOL and Sun Microsystems.

A security company that pays hackers for information on software flaws and exploits plans to release a list of 29 unpatched flaws in products sold by a host of big-name vendors, including Microsoft, IBM, Apple Computer and Novell.

The Aug. 28 disclosure from TippingPoints ZDI (Zero Day Initiative) flaw bounty program is a significant change to the way the 3Com-owned company handles the disclosure of vulnerability data it buys from external researchers.

Instead of waiting for software makers to issue patches, TippingPoint will announce the flaw purchase in bare-bones advisories at the time the issue is reported to the vendor.

Dave Endler, director of research at TippingPoint, in Austin, Texas, said the list of 29 includes six bugs affecting Microsoft; three affecting Novell; two each for products sold by IBM and Apple; and one each affecting AOL, Adobe and Sun Microsystems.

/zimages/3/28571.gifClick here to read more about the sale of the WMF exploit on the underground market.

"Were not identifying the software or product versions. Were simply naming the vendor, the date the issue was reported and the severity of the vulnerability," Endler said in an interview with eWEEK.

In the first year since ZDI started shopping for flaws, Endler said the company has fielded submissions from hundreds of hackers, culminating in 30 published post-patch bulletins. TippingPoint has been credited with finding nine vulnerabilities patched in the last three Microsoft Patch Tuesdays, he said.

With the new disclosure policy, Endler said he believes TippingPoint can serve as an industry "watchdog" against companies that drag their feet when software vulnerabilities are reported.

"We can use this to apply some pressure on some vendors. Some, like Microsoft, are very diligent about responding, but there are others that take six months or more to get a fix ready. After youve passed the six-month timeline, theres a good chance someone else will find [the vulnerability] and it might not be someone responsible," he said.

/zimages/3/28571.gifClick here to read more about a price war in the flaw bounty market.

In addition to ZDI, TippingPoint has a team of internal researchers that also discovers and reports security bugs to vendors. So far this year, staff researchers have found 10 vulnerabilities that resulted in patches, and six more in the disclosure pipeline are affecting AOL, Apple, IBM, Computer Associates and Crystal Reports.

According to VeriSigns iDefense, which also buys data on flaws and exploits from external hackers, it has no plans to preannounce its purchases. "Whats the benefit of doing that? It seems to be something thats driven by marketing," said Joseph Payne, vice president of iDefense.

Payne suggested that TippingPoints move could point malicious hackers in a certain direction and put certain vulnerable applications at risk. "If you tell the research community that you have found something in a certain application, you can be sure they will all start looking for it. Weve seen this in the past with the WMF [Windows Metafile] issue and the recent problems with Microsoft Office," Payne said in an interview with eWEEK.

/zimages/3/28571.gifPaying for flaws has been paying off for iDefense. Click here to read more.

TippingPoints Endler dismissed such a suggestion, making it clear that his company will only provide the name of the vendor and wont be providing any details that might pinpoint the affected product or the cause of the vulnerability.

iDefense itself has used quarterly challenges to point hackers at specific vendors and applications. In February 2006, the company offered a $10,000 reward to any hacker who found a critical worm hole in a Microsoft product, and eventually paid a single, anonymous researcher the bounty.

Earlier in August, iDefense trained its sights on serious holes in Web browsers, offering a new $10,000 prize to any hacker who can find a remotely exploitable code execution hole in Microsoft Internet Explorer or Mozillas Firefox.

/zimages/3/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

According to Payne, the hacking challenges help to ensure that serious software bugs are disclosed responsibly to affected vendors. "At the height of the WMF issue, that flaw was traded in the underground community and caused a lot of damage to our customers. If we can keep those flaws away from black hats, we are doing a service to the industry," he said.

He pointed out that the WMF exploit code was sold by Russian hacker groups for $4,000 a pop long before the attacks of December 2005.

"We wanted to flush these kinds of exploits out and make sure they are given to the vendor in a responsible way," Payne said, stressing that iDefense works very closely with all vendors to make sure patches are shipped before any information is publicly posted.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.