Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsofts products, but the software maker isnt exactly thrilled by the gambit.
One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, a spokesperson for Microsoft, based in Redmond, Wash., said paying for flaws is not the best way to secure software products.
“We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers,” the spokesperson said in a statement sent to eWEEK.
“Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known, is the best way to protect the end user,” the statement said.
The hacking challenge is part of VeriSign-owned iDefenses controversial VCP (Vulnerability Contributor Program), which offers financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code.
In an interview, Michael Sutton, director of iDefense Labs, defended the new program, insisting that it promotes the concept of responsible disclosure and keeps information on critical zero-day flaws away from malicious attackers.
“We want to use [the quarterly hacking challenge] to inspire our contributors to target their research in specific areas,” Sutton said. “We have a lot of clients running Microsoft products and they want to be protected from critical vulnerabilities.”
Sutton said the $10,000 would be paid as a “bonus” on top of fees paid for the initial vulnerability submission, and only for those bugs that result in a “critical” security bulletin from Microsoft.
According to Microsofts published rating system, a “critical” rating is given to a vulnerability that can be exploited without any user action to allow the propagation of an Internet worm.
In order to qualify for the bounty, the hackers submission must be sent during the current quarter and be received by midnight EST on Mar. 31, 2006, Sutton said.
Flaw-finding has generated big business—and invaluable publicity—for iDefense. Last year alone, iDefense publicly disclosed 150 vulnerabilities, in a wide range of computer products, including 11 in software from Microsoft.
“In 2005, we were credited with reporting 3 critical vulnerabilities to Microsoft, and we want to encourage our contributors to keep looking in that direction,” Sutton said.
“The nice thing is that a third party that has nothing to do with [the VCP] is deciding what the criticality is. Were still signing the contract with the researcher and were still paying the fee for the specific contributor, but were saying that if it results in a critical bulletin, theres a $10,000 bonus on the table,” Sutton said.
Sutton dismissed the notion that paying for vulnerabilities helps to push up the price for hackers who sell flaws on the illegal underground markets.
“The only model that makes no sense to me is the altruistic model. The vendor wants the researcher to do his code review for free and that doesnt quite fly. They are profiting from the vulnerability information but they dont want to pay for it,” Sutton said.
Sutton said it was strange that Microsoft offers $250,000 as a bounty to help capture a virus writer, but balks at paying for the information that would stop the propagation of the virus.
“I think all vendors should be paying for vulnerabilities. In a free enterprise, everything has a cost and a value. We have recognized that value and were willing to pay for it. The vendors should be doing the same thing,” he said.
iDefense is not the only vendor to pay for flaw information: 3Coms Tipping Point division buys the rights to bugs found by third-party hackers in its Zero Day Initiative program.
But not everyone is buying Suttons argument. Peter Mell, a computer scientist who manages the NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database), said dangling incentives for hackers to target a single vendor could set a dangerous precedent.
“I dont support this activity. Basically, it enables third parties to unfairly focus attention on a particular vendor or product. It does not help security in the industry,” Mell said in an interview with eWEEK.
“Any discovery of a vulnerability that is ethically and responsibly disclosed is a good thing,” Mell said, but he warned that big bounties only jack up the price in the already lucrative underground market. “The evildoers will continue to pay for vulnerabilities. This is a novel concept: to see if we can keep zero-days out of the hands of evildoers by paying for them ourselves.”
Another issue, Mell said, is that focusing hacker attention on a particular company or product could arbitrarily cause the stock price of a public company to fluctuate. “A third party with a lot of money could cause stock price shifts if they want to.”