Researchers Seek Cash for Software Flaws
For some security researchers who uncover flaws in leading computer programs,
a nod of appreciation from software companies is no longer enough. Now they
Critics say the purity of research is in jeopardy as discoveries are shopped
around instead of submitted directly to software vendors so they can quickly
develop a fix.
"I don't like there being an incentive to turn this into a market,"
said Bruce Schneier, chief technology officer for security company BT Counterpane.
"Then you create incentives for the bad guys to start finding this stuff
and selling it, and if the bad guys charge more, the good guys have to charge
Some companies already have been offering payments for such information --
hundreds or thousands of dollars depending on the severity of the flaw -- and a
Swiss-based auction site opened this month to encourage bidding for such knowledge.
Software vendors so far have refrained from purchasing the information themselves,
reluctant to encourage extortion -- researchers holding out or threatening to
sell to criminals unless they get the right price.
A black market has long existed for trading information about vulnerabilities
in software from Microsoft Corp., Cisco Systems Inc. and other vendors of products
crucial to running computers and sending data over the Internet. The information
could then be used to break into systems holding credit card numbers or secretly
plant spying software within a company's network.
Experts say government agencies also have been buying such knowledge -- not
to warn the public but potentially to break into computers for national security
or criminal investigations. Charlie Miller, a former National Security Agency
employee, said one agency he wouldn't name paid him $50,000 in September.
To keep up, security company iDefense, now part of VeriSign Inc., pioneered
the "white hat" market for exploits about five years ago, creating
the Vulnerability Contributor Program to reward legitimate researchers who submit
information on flaws. TippingPoint, a unit of 3Com Corp., followed with a similar
program three years later.
In both cases, the security companies buying the information then work with
vendors and avoid disclosing the flaws publicly until a fix is developed. The
information is valuable because the security companies can sometimes use the
knowledge to protect their own customers in the interim.
Although researchers historically have shared knowledge for free, "there's
been a market that has naturally evolved where this information is power,"
said Ken Durham, director of the rapid response team with VeriSign-iDefense.
"Our concern is people would start to turn to the dark side unless they
had a responsible avenue."
Terri Forslof, who runs TippingPoint's Zero Day Initiative, said programs like
hers can never pay as much as the black market, but most legitimate researchers
are willing to accept smaller payments knowing the buyer would handle the information
The newly opened auction site, WabiSabiLabi, doesn't require buyers to work
with vendors on a fix before disclosing the flaw. Operators of the site say
they try to validate both buyers and sellers -- for example, requiring copies
of passports and bank account information -- but many people remain skeptical.
"You potentially do not know who is buying that vulnerability," said
Mark Miller, Microsoft's director of security response communications. "The
potential for customer risk can be increased."
Roberto Preatoni, strategic director for WabiSabiLabi, said criminals have
no need for his site because they can remain anonymous in the black market.
He also said his auction functions more like eBay Inc.'s site in connecting
buyer and seller, and thus questions of legal liability and disclosure are strictly
between those parties.
So far, the amount of vulnerability research that's sold pales in comparison
to what's submitted directly to vendors or discovered by the vendors' own research
staff. But there are signs the market is growing.
"It's new territory. It's uncharted," said Russell Smoak, head of
Cisco's Product Security Incident Response Team. "I have been approached
by researchers that have asked [for payment] and to date, we've said no."
Charlie Miller, now the principal security analyst at Independent Security
Evaluators, said the demands for payments stem from frustrations that vendors'
in-house researchers "are making a lot of money to look for bugs and whenever
someone from the outside finds something, they don't get paid anything."
Preatoni described his auction as a way for researchers to receive what their
knowledge is truly worth, saying the security industry is currently built on
top of research that is undervalued.
Matthew Murphy, who received hundreds of dollars for each of about a dozen
submissions to iDefense's program, said that while payments aren't enough to
replace a full-time job, they earned him enough in high school to buy his parents
a new computer and give him spending money for dinner with friends.
But Miller, after trying to sell two separate vulnerabilities himself including
the $50,000 one to the government, concluded it wasn't worth the trouble. He
said it was difficult identifying potential buyers, and in one case the vendor
had fixed the problem before he could complete the sale.
"I would have loved to start a business out of it," he said. "One
of the lessons I learned is that it's impossible to do that."
And that's been one of the challenges of the WabiSabiLabi auctions. Potential
sellers must reveal enough to entice buyers, but revealing too much can help
others find the flaw independently, negating its value. Preatoni said the site
does verify all claims before starting an auction.
Microsoft, which makes the oft-targeted Windows operating system, said it has
no plans to start paying contributors, noting that many researchers have eagerly
submitted their findings with only the promise of credit, which can be added
to resumes to boost job prospects.
"They've clearly told us that by working with us, that model also works
for them," Microsoft's Miller said.
Marc Maiffret, chief technology officer at eEye Digital Security, said he,
too, has refrained from paying contributors, saying such sales "are pretty
much supporting a market which eventually turns into a bidding war. It drives
people not to report [problems] to vendors."