Feeds

Bug brokers offering higher bounties

Buyers locking up flaws to increase their shelf life?

The Power of One eBook: Top reasons to choose HP BladeSystem

Adriel Desautels aims to be the go-to guy for researchers that want to sell information regarding serious security vulnerabilities.

The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms - as well as the odd government agency - for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000.

"I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview.

It's a statement that underscores the increasing acceptance of the sale of vulnerability information. Once a frowned-upon practice, the sale of such information is taking off. Flaw bounty programs such as TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program (VCP) have added legitimacy to the practice, even if they remain controversial. Software vendors have had to increasingly get used to dealing with third parties reporting security flaws that were bought from anonymous researchers. Microsoft, for example, patched at least 17 flaws reported by the two programs in 2006, up from 11 reported in 2005.

Desautels, now the chief technology officer for boutique security firm Netragard, highlighted the trend by announcing a program on Wednesday whereby the security company would act as a broker to any researcher with a critical flaw to sell. The program could be a more lucrative option for freelance researchers aiming to sell information on software vulnerabilities.

In many ways, the push by researchers for greater returns on their research efforts is part of the ebb and flow of the debate over the proper way to disclose information about software vulnerabilities. In 2000, a researcher known as Rain Forest Puppy released a basic framework, dubbed the RFPolicy, for disclosing vulnerabilities in a way that seemed fair to responsible software makers. In 2002, two security researchers further refined the guidelines and submitted them to the Internet Engineering Task Force (IETF), but the technical standards body decided that setting disclosure policy was outside of its jurisdiction. Over the past few years, software makers, and Microsoft in particular, have focused on holding researchers to the guidelines, calling such disclosure "responsible."

It's been an uneasy truce, and one that has fractured in many places. In 2005, a researcher attempted to auction off information about a flaw in Microsoft Office. Other flaw finders have decided to just release details of vulnerabilities they have found as a punishment for what they believe to be irresponsible behavior on the part of the software vendor. In the last six months, for example, a number of researchers have collected advisories on potential security issues into month-long releases of daily bugs. The trend started with the Month of Browser Bugs in July and continues with the latest Month of Apple Bugs this month.

Now, flaw finders fed up with software vendors are increasingly turning to third parties to buy their research.

"One of the reasons why the hacking community is so frustrated with large corporations is because these corporations are making a killing off their research and they are not seeing fair value for their work," Desautels said in an online interview with SecurityFocus.

Software makers typically do not pay for vulnerability information, with the notable exception of the Mozilla Foundation. The well-known public bounty programs typically pay thousands of dollars for original vulnerabilities, while lesser-known private deals can net a researcher tens of thousands of dollars, according to security experts.

The amounts quoted by Desautels are not excessive, according to experts interviewed by SecurityFocus.

In September, for example, a private buyer approached noted security researcher HD Moore and offered between $60,000 and $120,000 for each client side vulnerability found in Internet Explorer, the founder of the Metasploit Project said. Moore declined to pursue the offer, but said that such prices are typical of high-level private purchases, while information on serious flaws in generic enterprise-level applications can be sold to safe buyers - such as 3Com's ZDI program and VeriSign's VCP program - for between $5,000 and $10,000.

"The ZDI and (VCP) programs are definitely the easier way to sell a vulnerability, but at the 5x or 10x multipliers you see from a private buyer, it's usually worth the effort," Moore told SecurityFocus in an e-mail interview.

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.