Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Paying for Flaws: Undermining Security or Rewarding Good Deeds?

    By
    Ryan Naraine
    -
    July 25, 2005
    Share
    Facebook
    Twitter
    Linkedin

      3Com Corp.s announcement that its Tipping Point division would start paying for the rights to security flaw information found by private researchers has reignited an old debate: Should underground hackers benefit from breaking into software systems?

      Tipping Points new ZDI (Zero Day Initiative), which will take center stage at the Black Hat Briefings in Las Vegas later this week, effectively validates the market for rewarding members of the digital underground, but Internet security experts argue that the practice undermines the principle of responsibly reporting vulnerabilities directly to software vendors.

      For many, the business of finding software vulnerabilities should never be a for-profit exercise.

      “People should never be rewarded for breaking into software and finding weaknesses. They should do it out of a need to create a more secure environment for everyone,” said one researcher, who declined to be identified.

      “The more we see these companies throwing money at underground hackers, the more it creates an unstable environment where the software vendor will be held to ransom.”

      That reaction isnt uncommon. In a recent interview with Ziff Davis Internet news, chief operating officer of eEye Digital Security Firas Raouf said his company had a fundamental objection to paying for security flaws.

      “You end up getting people who arent necessarily experts in the field trying to find something and sell it to the highest bidder … Once you start this, unless theres a strict process in place to manage it, you may end up with more problems for everyone,” Raouf said.

      /zimages/6/28571.gifClick here to read more about VeriSign Inc.s plan to acquire security intelligence firm iDefense.

      iDefense Inc., the security intelligence firm that was recently acquired by Verisign Inc., was the first to tap into the market for security flaw information.

      The companys 3-year-old VCP (Vulnerability Contributor Program) involves financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code to iDefense.

      Since the launch of the VCP, more than 80 percent of all vulnerabilities reported by iDefense were purchased from private, sometimes anonymous, software researchers, according to Michael Sutton, director of iDefense Labs.

      In an interview, Sutton said more than 1,100 vulnerabilities have been submitted to the VCP by more than 200 security researchers.

      Of that total, about 50 percent are validated as legitimate security flaws.

      Once validated, iDefense will pay an undisclosed sum for the exclusive intellectual property rights to the research.

      “This program works very well. The researchers make money for their work, the vendors get the benefit of responsible advance notices, and the end users get well-tested patches,” Sutton said.

      /zimages/6/28571.gifRead more here about iDefenses strategy and reverse engineering.

      “Its not surprising to see Tipping Point launch a similar program. Weve been a pioneer with this concept, and weve had incredible success over the years. When you run a successful program, you have to expect competition,” he said.

      “It really validates what weve been doing with the VCP. It just shows theres a big demand for vulnerability information and provides a big incentive for researchers who spend hours finding security flaws,” Sutton added.

      Thor Larholm, senior security researcher at PivX Solutions LLC, isnt quite happy with the way iDefense resells the flaw information it purchases, but agrees that paying for flaw information will become the norm once others enter the business.

      “Five years ago, it used to be a big deal for a researcher to get credited in a Microsoft bulleting. Were well past those days. People want to be compensated for the work they do, and these programs offer real incentives,” Larholm said, noting that the discovery of a bug in a widely deployed Internet-facing application could net a researcher a sum in the range of $6,000.

      iDefenses Sutton declined to discuss the price point for flaw information. “We dont discuss pricing, but I can tell you theres real value in that information.”

      Larholm believes the Tipping Point and iDefense initiatives will push software vendors like Microsoft Corp. into paying for bugs found by outside researchers.

      The software giant says it has never paid for information from private individuals.

      “We credit finders who report vulnerabilities under responsible disclosure and, from time to time, [we have] contracted security research companies to review code for products under development,” a company spokesperson said recently.

      Larholm believes its only a matter of time before Microsoft shifts its thinking.

      “It would require a cultural change within Microsoft, but I think its a change that will eventually happen. If there are other avenues for researchers to get paid for their work, very few people will be going to Microsoft directly. Its up to Microsoft to figure out whether they want that information in the hands of iDefense and Tipping Point customers before they can get a patch released.”

      “When a researcher works with Microsoft today, all they get is their name buried deep in a bulletin. In the past, researchers were happy to get the fame and notoriety, but that has changed. It has become hard work to find flaws because vendors are taking security more and more seriously. Today, it calls for heavy reverse-engineering and long days of work to crack into a product. These guys are looking to get paid,” Larholm added.

      iDefenses Sutton thinks Microsoft and other big-name vendors like Apple Computer Inc., Oracle Corp., IBM Corp. and Sun Microsystems Inc. should all think about paying for external vulnerability research.

      “People who uncover vulnerabilities have skills that are sought-after. The VCP has been successful for three years because there is value in that information. Tipping Point is launching a program because there is a market for the research. I believe those researchers have a right to profit from their skills. Its unfair to expect people to take time to find vulnerabilities and then give it away for free. The days of being happy with a mention in a Microsoft bulletin is long gone,” Sutton added.

      “If Microsoft was to start such a program, it would be a good thing. You cant expect quality assurance work for free anymore.”

      /zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×