Feeds

Bug brokers offering higher bounties

Buyers locking up flaws to increase their shelf life?

Choosing a cloud hosting partner with confidence

Adriel Desautels aims to be the go-to guy for researchers that want to sell information regarding serious security vulnerabilities.

The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms - as well as the odd government agency - for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000.

"I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview.

It's a statement that underscores the increasing acceptance of the sale of vulnerability information. Once a frowned-upon practice, the sale of such information is taking off. Flaw bounty programs such as TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program (VCP) have added legitimacy to the practice, even if they remain controversial. Software vendors have had to increasingly get used to dealing with third parties reporting security flaws that were bought from anonymous researchers. Microsoft, for example, patched at least 17 flaws reported by the two programs in 2006, up from 11 reported in 2005.

Desautels, now the chief technology officer for boutique security firm Netragard, highlighted the trend by announcing a program on Wednesday whereby the security company would act as a broker to any researcher with a critical flaw to sell. The program could be a more lucrative option for freelance researchers aiming to sell information on software vulnerabilities.

In many ways, the push by researchers for greater returns on their research efforts is part of the ebb and flow of the debate over the proper way to disclose information about software vulnerabilities. In 2000, a researcher known as Rain Forest Puppy released a basic framework, dubbed the RFPolicy, for disclosing vulnerabilities in a way that seemed fair to responsible software makers. In 2002, two security researchers further refined the guidelines and submitted them to the Internet Engineering Task Force (IETF), but the technical standards body decided that setting disclosure policy was outside of its jurisdiction. Over the past few years, software makers, and Microsoft in particular, have focused on holding researchers to the guidelines, calling such disclosure "responsible."

It's been an uneasy truce, and one that has fractured in many places. In 2005, a researcher attempted to auction off information about a flaw in Microsoft Office. Other flaw finders have decided to just release details of vulnerabilities they have found as a punishment for what they believe to be irresponsible behavior on the part of the software vendor. In the last six months, for example, a number of researchers have collected advisories on potential security issues into month-long releases of daily bugs. The trend started with the Month of Browser Bugs in July and continues with the latest Month of Apple Bugs this month.

Now, flaw finders fed up with software vendors are increasingly turning to third parties to buy their research.

"One of the reasons why the hacking community is so frustrated with large corporations is because these corporations are making a killing off their research and they are not seeing fair value for their work," Desautels said in an online interview with SecurityFocus.

Software makers typically do not pay for vulnerability information, with the notable exception of the Mozilla Foundation. The well-known public bounty programs typically pay thousands of dollars for original vulnerabilities, while lesser-known private deals can net a researcher tens of thousands of dollars, according to security experts.

The amounts quoted by Desautels are not excessive, according to experts interviewed by SecurityFocus.

In September, for example, a private buyer approached noted security researcher HD Moore and offered between $60,000 and $120,000 for each client side vulnerability found in Internet Explorer, the founder of the Metasploit Project said. Moore declined to pursue the offer, but said that such prices are typical of high-level private purchases, while information on serious flaws in generic enterprise-level applications can be sold to safe buyers - such as 3Com's ZDI program and VeriSign's VCP program - for between $5,000 and $10,000.

"The ZDI and (VCP) programs are definitely the easier way to sell a vulnerability, but at the 5x or 10x multipliers you see from a private buyer, it's usually worth the effort," Moore told SecurityFocus in an e-mail interview.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.