Symantec's SecurityFocus buyout met with pessimism

Bug trackers fear BugTraq death

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

There's been considerable discussion this weekend of the recent sale of SecurityFocus to mega-corporation Symantec for a sweet $75 million. At issue in particular is SF's BugTraq mailing list, which has for years been the most popular full-disclosure vulnerability list going.

While Symantec has stated that it will not exert influence on BugTraq, which it now owns, many list members find that assurance hard to trust. However, in this case only time will tell. I personally have little doubt that the SF staff intend to keep BugTraq and its extensive archives independent and free. Whether they'll succeed in the long run is an entirely different matter.

The deal has generated further controversy because SF has sold something quite valuable which it received free of charge, namely the exploits submitted by list members. These are valuable for developing scanning software like Snort, Nessus, and the like. And naturally, when this much cash changes hands, people may get envious. They may also feel they're owed something for the free contributions they've voluntarily made.

Coincident with the Symantec announcement, a new list opened up to address the anticipated fall of BugTraq. It's actually called Full Disclosure and is unmoderated, meaning that within hours it began degenerating into a forum for the 'full disclosure' of members' opinions.

Among these are a comment from Charles Stevenson bringing the security 'community' to task for "supporting the exploitation and misuse of proprietary exploit source code to further the large companies' for-profit endeavours."

There was also a suggestion from Jay Dyson that exploit code submissions and vulnerability advisories be licensed in some way to prevent their use by profiteers.

Conflict alert

At this point I have to say that The Register and SecurityFocus have a longstanding business relationship involving content sharing. And I may as well add that SF Editorial Director Kevin Poulsen is a close friend of mine; and that I happen to like and respect co-founder Elias Levy, though I'm not closely acquainted with him. Now back to my completely unbiased article.

Sour resumes

It does seem odd that contributors to BugTraq should expect consideration after making free submissions to it with no expectation of reward. So far as I know no one at SF ever asked them to perform the work which their submissions represent, or ever promised them anything in return. The idea behind BugTraq has always been to make the information available to anyone who can use it. And so long as it remains freely available, there shouldn't be a problem.

As we saw at H2K2, some people believe that a large fraction of posts to BugTraq have more to do with resume padding than the free exchange of ideas and selfless sharing of research for the improvement of everyone's security. (I happen to agree with this observation.) According to the theory, people send in exploit code they've spent days or weeks perfecting in quest of the publicity needed to find fabulous jobs or to start up their own security firms.

But now people are concerned that BugTraq won't continue to function as it has in service of these ambitions. And if these fears should be justified over time, other public outlets for cleverness exhibition will have to be devised and other forms of compensation sought. Thus the idea of cashing in on the code is circulating.

Of course that would cause problems for developers of free and open-source products. Perhaps a EULA could be useful here, stipulating that the code is royalty-free to GPL'd open-source apps and share/freeware, and imposing a royalty on its use in proprietary, for-profit products. Or perhaps not. Personally, I don't see any way something of that sort can be enforced. If a big company steals your idea, they can all too easily claim that their vast team of researchers hit on the same item coincidentally (this often happens for real, as the publication of new discoveries will set many different people thinking along similar lines).

The questions surrounding vulnerability disclosure are endless and probably insoluble. Even the very fact of disclosure is controversial: many believe that the announcements give malicious hackers an unfair advantage; many others (like me) believe that withholding the information leaves users at increased risk on the theory that forewarned is forearmed.

And the timing of announcements is still in dispute. How long is 'long enough' for a vendor to patch an issue before the details are released publicly? I'm in favor of full disclosure, yet I was appalled when ISS recently gave Apache less than 24 hours to deal with a significant vulnerability.

And now we have the issue of what a researcher is owed for work freely offered. Publicity used to be enough; but now that people have begun worrying about the future independence of BugTraq, it may not be enough for long. As one observer remarked, there's a difference between contributing to SecurityFocus, and working for Symantec.

At this point I have to appeal to the wisdom of The Reg's beloved readers. Does the act of making a free contribution to a public, full-disclosure list imply that the material is up for grabs? Aren't restrictions on further use a contradiction of everything 'full disclosure' represents? Should contributors to open forums expect consideration when someone else profits from their work? Should they have the right to deny use of their contribution by for-profit concerns who refuse to pay? Should open-source developers be given freedom to use the data, while commercial developers are expected to kick back a royalty? Is there any hope of enforcing or defending a patent, copyright or EULA on such submissions? Is there any practice or standard that won't make network and software security an even more gargantuan mess than it already is?

I honestly don't know. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.