Bug brokers offering higher bounties
Buyers locking up flaws to increase their shelf life?
Adriel Desautels aims to be the go-to guy for researchers that want to sell information regarding serious security vulnerabilities.
The co-founder of security group Secure Network Operations Software (SNOSoft), Desautels has claimed to have brokered a number of deals between researchers and private firms - as well as the odd government agency - for information on critical flaws in software. Last week, he bluntly told members of SecurityFocus's BugTraq mailing list and the Full-Disclosure mailing list that he could sell significant flaw research, in many cases, for more than $75,000.
"I've seen these exploits sell for as much as $120,000," Desautels told SecurityFocus in an online interview.
It's a statement that underscores the increasing acceptance of the sale of vulnerability information. Once a frowned-upon practice, the sale of such information is taking off. Flaw bounty programs such as TippingPoint's Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program (VCP) have added legitimacy to the practice, even if they remain controversial. Software vendors have had to increasingly get used to dealing with third parties reporting security flaws that were bought from anonymous researchers. Microsoft, for example, patched at least 17 flaws reported by the two programs in 2006, up from 11 reported in 2005.
Desautels, now the chief technology officer for boutique security firm Netragard, highlighted the trend by announcing a program on Wednesday whereby the security company would act as a broker to any researcher with a critical flaw to sell. The program could be a more lucrative option for freelance researchers aiming to sell information on software vulnerabilities.
In many ways, the push by researchers for greater returns on their research efforts is part of the ebb and flow of the debate over the proper way to disclose information about software vulnerabilities. In 2000, a researcher known as Rain Forest Puppy released a basic framework, dubbed the RFPolicy, for disclosing vulnerabilities in a way that seemed fair to responsible software makers. In 2002, two security researchers further refined the guidelines and submitted them to the Internet Engineering Task Force (IETF), but the technical standards body decided that setting disclosure policy was outside of its jurisdiction. Over the past few years, software makers, and Microsoft in particular, have focused on holding researchers to the guidelines, calling such disclosure "responsible."
It's been an uneasy truce, and one that has fractured in many places. In 2005, a researcher attempted to auction off information about a flaw in Microsoft Office. Other flaw finders have decided to just release details of vulnerabilities they have found as a punishment for what they believe to be irresponsible behavior on the part of the software vendor. In the last six months, for example, a number of researchers have collected advisories on potential security issues into month-long releases of daily bugs. The trend started with the Month of Browser Bugs in July and continues with the latest Month of Apple Bugs this month.
Now, flaw finders fed up with software vendors are increasingly turning to third parties to buy their research.
"One of the reasons why the hacking community is so frustrated with large corporations is because these corporations are making a killing off their research and they are not seeing fair value for their work," Desautels said in an online interview with SecurityFocus.
Software makers typically do not pay for vulnerability information, with the notable exception of the Mozilla Foundation. The well-known public bounty programs typically pay thousands of dollars for original vulnerabilities, while lesser-known private deals can net a researcher tens of thousands of dollars, according to security experts.
The amounts quoted by Desautels are not excessive, according to experts interviewed by SecurityFocus.
In September, for example, a private buyer approached noted security researcher HD Moore and offered between $60,000 and $120,000 for each client side vulnerability found in Internet Explorer, the founder of the Metasploit Project said. Moore declined to pursue the offer, but said that such prices are typical of high-level private purchases, while information on serious flaws in generic enterprise-level applications can be sold to safe buyers - such as 3Com's ZDI program and VeriSign's VCP program - for between $5,000 and $10,000.
"The ZDI and (VCP) programs are definitely the easier way to sell a vulnerability, but at the 5x or 10x multipliers you see from a private buyer, it's usually worth the effort," Moore told SecurityFocus in an e-mail interview.
Ethics continues to be a central question in the sales.
Paying $75,000 for vulnerability research likely means that the buyer is a government agency, and not a private company, said Terri Forslof, manager of security response for 3Com's TippingPoint. And that raises a number of questions that should concern any ethical researcher, such as which government and whether the software vendor is notified of the vulnerability.
"When you are paying $75,000 for a vulnerability, that tells me that you are not reporting it to a vendor," Forslof said.
Because vulnerability information has a very short lifespan, recouping tens of thousands of dollars spent on buying a security flaw is difficult. However, by not telling the software vendor, it's likely that the value of the information can be preserved longer.
That fact leads to a trade off between ethics and profit for most researchers. Under the accepted responsible disclosure timeline, the flaw finder could notify the software vendor, pressure it to fix the flaw, wait months for a patch to come out and, perhaps, get acknowledged in the advisory. On the other hand, the researcher could sell the information for a significant price and not ask questions about the buyer.
"The buyer with the highest price often wins, but ethics do come into play when the business of the buyer can't be verified," Metasploit's HD Moore said in an e-mail interview.
Currently, the gray market does not seem to necessarily compete with government buyers. Rewards can be higher on the gray market compared to 3Com's and VeriSign's programs, with typical offers for client-side vulnerabilities ranging from $5,000 to $50,000, he said. However, government purchasers will generally bid higher.
Raimund Genes, chief technology officer for antivirus firm Trend Micro, has also seen offers for zero-day flaws between $5,000 and $20,000 in the gray market. More often, however, buyers attempt to trade credit-card numbers or goods, he said.
A notable exception occurred last month, when a researcher attempted to sell an alleged vulnerability in Microsoft's Windows Vista operating system for $50,000, according to Genes. That could be a sign that criminal enterprises are willing to compete for vulnerabilities.
"Definitely, they guy who was offering to sell (the flaw) though it might be possible," Raimund said. "It might not be out of range."
Fraudsters and spammers could turn a significant vulnerability into a widespread collection of compromised PCs - a bot net. Spammers have netted significant profits from stock-touting campaigns, while fraudsters have used bot nets to launch denial-of-service attacks as part of an extortion campaign or harvest valuable data from the systems.
Companies, on the other hand, have to justify the expense of buying vulnerabilities through enhanced services or penetration tests bolstered by sure-fire 0-day exploits.
For 3Com's TippingPoint, the Zero Day Initiative (ZDI) gives its researchers a leg up on attackers and competitors, because having the flaw information means more time to create and test the filters for exploits using the vulnerability. The company also gets publicity and a selling point for its services.
Still, it's not always an easy sell, 3Com's Forslof said.
"We continually have to justify where we recoup the cost," she said. "Mainly, we consider that we recoup it in research - look how much you would have to pay a top-notch researcher."
Some smaller firms have hit on ways to better profit from vulnerability information.
While 3Com's and VeriSign's well-known vulnerability purchasing programs have legitimized the trade in security research, smaller boutique firms that cater to penetration testers or that have high-value vulnerability disclosure lists could become significant competitors.
Buenos Aires-based Argeniss Information Security, for example, pays only for a small number of critical vulnerabilities. The company adds the information to its Ultimate 0-day Exploits Pack, an add-on set of attacks for the popular penetration testing tool, CANVAS. A 0-day exploit in Microsoft's Internet Explorer or Outlook can bring in a dozen new customers in a day, Cesar Cerrudo, founder and CEO of the Argeniss, told SecurityFocus in an e-mail interview
"For sure, we will pay more than iDefense," Cerrudo said. "Anyone will pay more than iDefense."
The nascent marketplace for vulnerabilities could suffer a shakeup if companies such as Argeniss and Netragard keep up the price pressures.
In 2002, security firm iDefense - now part of Internet giant VeriSign - kicked off its Vulnerability Contributor Program (VCP), offering thousands of dollars for security vulnerabilities. While the program grew quickly, unveiling 150 vulnerabilities in 2005 including 11 flaws in Microsoft software, the number of vulnerabilities outed by the program declined in 2006. The company only published 81 advisories in 2006 for flaws found by VCP researchers, only four of which were in Microsoft software (corrected). Earlier this month, the company offered $8,000 for the first six Windows Vista or Internet Explorer 7 vulnerabilities exclusively sold to its program.
The Zero-Day Initiative started at TippingPoint, now a division of networking giant 3Com, had strong growth in 2006. The program, started in July 2005, only released advisories for 3 flaws that year, but published information on 54 vulnerabilities - including 13 in Microsoft software - in 2006. The company does not publish the prices it pays for vulnerability information, but aims to compete directly against iDefense.
"To date, we have not lost out to iDefense on any offer," said Forslof. "We have people that have shopped around and they have always gone with us in the end."
iDefense did not make a spokesperson available for comment on its Vulnerability Contributor Program. However, a former iDefense manager believes that the industry still has room for more competitors.
"The vulnerability industry, in general, is still an immature industry," said Michael Sutton, the former director of iDefense Labs and current security evangelist for SPI Dynamics. "I think there is enough volume for at least a half dozen different players."
If the efforts of Microsoft and other major software vendors reduce the number of critical flaws, security researchers stand to gain from competition between buyers, Sutton said. Relying on selling vulnerability information could pay the rent, he said.
"You would be hard pressed to find someone who relies solely on the income from vulnerability research," Sutton said. "But the prices are getting high enough that, depending on where you lived and how good of a researcher you were, you could make a living."
CORRECTION: The article undercounted the number of Microsoft issues found by researchers participating in VeriSign's Vulnerability Contributor Program (VCP) in 2006. The program's contributors found four issues in Microsoft software.
This article originally appeared in Security Focus.
Copyright © 2007, SecurityFocus