Paying for Flaws Pays Off for iDefense

iDefense releases a reverse-engineering tool to the open-source community and triggers a debate on whether information on unpatched security vulnerabilities should be purchased.

Internet security specialist iDefense Inc. has released a reverse-engineering tool to the open-source community as part of its controversial strategy of buying the rights to information on security flaws found by underground researchers.

The decision to roll out the IDA Sync tool was driven by a need to "contribute to the cycle" of making flaw-finding easier for the private individuals who participate in iDefenses VCP (Vulnerability Contributor Program).

The 3-year-old VCP involves financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code to iDefense.

Michael Sutton, director of iDefense Labs, said the wild success of the program has driven the company to release tools like IDA Sync, which is used to allow multiple analysts to synchronize their reverse-engineering efforts in real-time within the IDA Pro disassembler.

In an interview with, Sutton said groups of researchers can use the IDA Sync plug-in to connect to the disassembler and share comments and name changes.

"A large group of researchers can now pick apart a program and share their findings with each other right within IDA Pro, which is the de-facto standard for disassembling within Windows," Sutton said.

In addition to IDA Sync, iDefense has previously released tools such as IDA pGRAPH, a plug-in that generates control-flow graphs; IDA Function Analyzer, a IDA C++ plug-in designed to provide an abstracted layer over "chunked" functions; and the Attack Vector Test Platform, a tool that was used in the research for the paper titled "A Comparison of Buffer Overflow Prevention Implementations and Weaknesses."

Flaw-finding has generated big business—and invaluable publicity—for the Reston, Va.-based iDefense. So far this year, the company is credited with the responsible disclosure of 36 security bulletins, including major flaws in products sold by Computer Associates International Inc., RealNetworks Inc. and Apple Computer Inc.

/zimages/4/28571.gifRead more here about iDefense doing big business by buying vulnerability information from researchers worldwide and reselling it to customers.

Sutton said that more than 80 percent of all vulnerabilities reported by iDefense were purchased from private, sometimes anonymous, software researchers.

"Well pay for the exclusive intellectual property rights to the research, and this program works for everyone. The researchers make money for their work, the vendors get the benefit of responsible advance notices, and the end users get well-tested patches."

Next Page: The critics speak up.