Zero-day sales not 'fair' - to researchers
So how much is a vuln worth... and who's buying?
Two years ago, Charles Miller found a remotely exploitable flaw in a common component of the Linux operating system, and as many enterprising vulnerability researchers are doing today, he decided to sell the information.
Having recently left the National Security Agency, the security professional decided to try his hand at selling the bug to the U.S. government. In a paper due to be presented next week at the Workshop on the Economics of Information Security, Miller - now a principal security analyst at Independent Security Evaluators - writes about the experience and analyzes the market for security vulnerabilities.
In the case of the Linux flaw, one agency offered him $10,000, while a second told him to name a price. When he said $80,000, his contact quickly agreed.
"The government official said he was not allowed to name a price, but that I should make an offer," Miller told SecurityFocus. "And when I did, he said OK, and I thought, 'Oh man, I could have gotten a lot more.'"
The sale underscores a significant problem for vulnerabilities researchers that attempt to sell a flaw: Determining the value of the information. In addition, time is a major factor: Miller felt pressured to complete the deal, because if anyone else found and disclosed the flaw, its value would plummet to zero. In a second attempted sale outlined in the paper, the disclosure clock ran out for Miller as he tried to sell a PowerPoint flaw that Microsoft patched this past February before the researcher could close the deal.
Yet, researchers that sell vulnerabilities should also consider the ethical issues involved, said Terri Forslof, manager of security response for TippingPoint, a subsidiary of networking giant 3Com.
"The value of the vulnerability is determined by the amount of time that the vulnerability can be used to get a return on investment before it is patched," Foslof said. "If I'm paying $50,000 for a vulnerability, what am I doing with it? I'm likely not trying to get it patched."
Miller's paper comes as sales of vulnerability information are becoming more common. Driven by researchers' reluctance to give away hard-won information for free and the standardization on flaw bounties through initiatives such as iDefense's Vulnerability Contributor Program and 3Com's Zero-Day Initiative, flaw finders are increasingly trying to get paid for their work.
Miller found out that selling a flaw for a fair price is difficult. While the unnamed government agency offered the researcher $80,000, they placed a condition on the sale that the exploit would have to work against a particular flavor of Linux. Two weeks later and worried that the flaw might be found, Miller accepted a lesser offer from the same group for $50,000 for the exploit as is.
"While I was paid, it wasn't a full success," he wrote in the paper (PDF). "First, I had no way to know the fair market value for this exploit. I may have been off by a factor of ten or more."
Moreover, Miller had contacts in the government, but could not initially find the right people with which to deal. So, he offer a 10 percent cut to a friend who had better contacts. Other researchers might not be able to find the right contacts to complete similar deals.
"The only reason this sale happened at all was because of personal contacts I had, which should not be necessary for a security researcher who wants to make a living," he wrote in the paper.
The sale of a second vulnerability did not go so well.
In January, Miller was approached by a friend who wanted to sell a flaw in Microsoft PowerPoint XP and 2003. Miller found very little guidance in the market to help him set a price, but he believed a company would pay up to $20,000 for the flaw and a government agency, perhaps $50,000.
In reality, he only had a handful of offers but haggled one company up to $12,000. Before he could close the deal, however, Microsoft released a fix for the issue. The delay and difficulty in finding a buyer and the problems in setting a price had essentially scuttled the deal, Miller said.
"I don't think it fair that researchers don't have the information and contacts they need to sell their research," Miller said.
Yet, TippingPoint's Forslof stressed that selling to the government is not necessary setting a fair price for a vulnerability. Legitimate markets include companies that use vulnerability information to protect their customers while they contact the vendor to get the issue fixed. The government generally constitutes a gray market, because they most likely are not going to notify the vendor and the researcher does not know how they are going to use the information. The black market, where the buyers are likely to use the vulnerability for illicit purposes, would likely pay the most money but put end users in the most jeopardy.
"There are a range of prices when you are talking about fair market value versus black market value," she said. "And the government is in a class of their own. It's a matter of what is going to happen to that vulnerability and how they are going to use it."
The answers to those questions drove one researcher to deal with a vulnerability-buying program rather than selling to a government agency.
Security researcher Aviv Raff found two trivial-to-exploit vulnerabilities in a component of the Windows Vista operating system late last year. He shopped the more critical flaw to a number of security companies as well as the two major vulnerability-purchase programs. While some of the security companies bested the offers from TippingPoint and iDefense, he declined to sell the flaw to them because they would not commit to notifying Microsoft of the issue.
For the same reason, selling the vulnerability to the government was out of the question as well.
"I wouldn't mind (selling the information to the government), if I knew they will report it to Microsoft," Raff said.
Because of the terms of the sale, Raff cannot mention the name of the program to which he sold the vulnerability nor the price at which he sold it, except to say it's much less than $80,000.
Raff directly notified Microsoft of the less critical of the two vulnerabilities. The software giant has not yet patched the flaws.
This article originally appeared in Security Focus.
Copyright © 2007, SecurityFocus