Casablanca, Buying Vulnerabilities and Digressing posted by Rick Howard

Filed in: Responsible Disclosure

I got a call last week from a newspaper reporter. He was wondering about the status of the iDefense Vulnerability Contributor Program (VCP: Here and Here) and other commercial programs of the same ilk that buy vulnerabilities from independent researchers. He was wondering if there has been any attitude change in recent years as the security community has matured. This is a great question. Let me try to answer it.

Paying for bugs used to be very controversial. When iDefense pioneered the idea many years ago, the security community was aghast that somebody might actually pay researchers to find weaknesses in enterprise-level software.

I am reminded of that great movie, Casablanca when Claude Rains announces to the crowd in Humphrey Bogart's café that he is closing it down for the night.

Bogart: How can you close me up? On what grounds?

Rains: I'm shocked, shocked to find that gambling is going on in here!
[a cashier hands Rains a pile of money]

Cashier: Your winnings, sir.

Rains: [sotto voce] Oh, thank you very much.

Rains: [aloud] Everybody out at once!

That's my favorite scene in the entire movie, but I digress.

Today, the practice of buying vulnerabilities is more accepted. There are many organizations that participate in this activity today. Responsible Disclosure -- the act of buying and identifying bugs, informing the responsible vendor, but keeping the information private until the vendor fixes the issue -- is not perfect by any means. The process is frustratingly slow in some cases; however, it is the process that has stabilized over time and all parties benefit. Researchers pursue their interests and organizations compensate them for their efforts. Vendors discover new bugs in their products. Responsible Disclosure participants provide value to their customers in the form of early warning until the bug is fixed. Finally, the security community as a whole benefits because bugs are identified and fixed; maybe not as fast as we would all like, but fixed all the same. Most in the security community realize this. There are outliers for sure; those who have proclaimed that the system is too slow and, out of frustration, hurl zero-day vulnerabilities into the public without warning. This just introduces chaos into the system and causes everybody to twist themselves into knots reacting to whatever the impact might be. I like to think about Responsible Disclosure in similar ways that I think about a democracy in action. It is painful and slow and inefficient, but it is far superior to other more destabilizing options.

But then the reporter hit me with an even harder question. He asked, "How effective is this method, given that the underground market has developed to the extent that cyber criminals can offer much better prices for vulnerabilities?"

Let me just say that I reject this notion. The vulnerability market is a market like any other. The price of a vulnerability reflects whatever the market will bear. People buy vulnerabilities for different reasons. At VeriSign / iDefense, we buy them to give our customers early warning. Other white hat researchers buy them to enhance their security products. Black hat or grey hat purchasers have their motivations too. You may not like their motivations and you might not condone them -- I certainly do not -- but they exist all the same and are a fact of life.

Ultimately, all purchasers make a decision on the worth of a vulnerability based on the value that the vulnerability may bring to support their motivations. Is it likely that some buyers may want to pay a significant amount of money over what other buyers would pay? Sure. Does that mean that these other buyers have no role? Absolutely not.

There are many kinds of security researchers: white hat, grey hat and black hat. They decide which kind of purchasers they want to deal with and what kind of researchers they want to be. White hat researchers find bugs in enterprise-level software, help the Internet community become a little safer and get paid for their efforts. Grey hat and black hat researchers, in some cases, give their research up to nefarious organizations whose purpose they may not fully understand. They might get paid handsomely for their efforts but they are definitely not making the Internet safer. Unfortunately, vendors do not fix those kinds of vulnerabilities until the damage is done. The bad guys who leverage that research may use it to commit cyber crimes, to conduct cyber espionage or to execute some other nefarious purpose. The security community does not get to fix that vulnerability until somebody discovers it and there is no guarantee that we will discover it either.

As an aside, don't think that a grey hat selling that kind of research is free from criminal charges either. I have heard some researchers say that they are just building tools. They are not culpable since they do not actually pull the trigger to do anything illegal. At least in the US, this is just not true. Consider the Gonzalez-TJX case if you don't believe me. Authorities sentenced Stephen Watt -- the guy that wrote the sniffer software called "Blah Blah" that the Gonzalez team used to sniff credit numbers from high-profile retail stores -- to two and a half years in prison for his efforts even though he was not part of the Gonzalez team that actually conducted the operation. Two and a half years! That is not insignificant.

But I digress.

I fundamentally disagree with the notion that since the black hats and the grey hats can possibly make more money selling vulnerabilities, then the white hats have no role to play. Clearly that is not true. The iDefense VCP program is alive and well. It produced more than 50 vulnerabilities last year; at least 30 of which were high-impact Microsoft vulnerabilities. Other white hat operations had similar successes.

I believe it is clear that white hat vulnerability research is here to stay. Now if I can just find that cashier and get my winnings.

(No Comments)