A week ago, a Swiss company by the name of Wabi Sabi Labi (gotta love the name) launched an Ebay-style marketplace for software vulnerabilities. They allow anyone with a verified security flaw to auction it off on their site. Wow!
While I find this very discomforting because of the potential for exploitation of such defects by unscrupulous 'buyers', I believe researchers should be compensated adequately by software manufacturers for "ethical disclosures" that end up improving software quality.
Fact: 99% of all bugs are customer-found.
Software is imperfect because we are imperfect, thus, defects are here to stay. Therefore, anyone that helps to "dev test" a software to the point of identifying a flaw should be compensated (and possibly offered a job) for their hard work.
Although I do not condone the WSL marketplace, I do understand why it came about. It is a logical reaction to the lack of fair recognition that is currently given to members of the public that point out software flaws to manufacturers.
The fair thing to do would be for WSL to offer software OEMs the chance to "buy" vulnerabilities offline before resorting to publicly offerings. On the flip side of this, I guess researchers can now add WSL to their list of leverage points when negotiating software OEMs.
Thoughts?
/Peter
2 comments:
I personally like the idea of a marketplace for vulnerabilities that some vendors don't wish to disclose. But then again, I've always been a proponent of a transparent society :)
Yet another player in this space...
Start-up reignites bug-disclosure debate
Dawn Kawamoto
810 words
3 August 2007
ZDNet UK
English
(c) 2007 CNET Networks. All rights reserved
VDA Labs, which finds flaws in software, has a unique business model: software vendors pay for discovered flaws or see them sold to third parties
An upstart security research firm with a controversial business model is at the centre of a debate over how software bugs should be disclosed.
Vulnerability Discovery and Analysis (VDA) Labs, founded in April by Jared DeMott, notifies software vendors of security bugs found in their software, as do many other security researchers.
But, as part of VDA's business model, vendors are asked to pay for the bugs it discovers, or its consulting services, otherwise VDA threatens to sell the bug to a third party or make the details of the security flaw public.
DeMott, who has done work for the National Security Agency among other places, describes his business model as edgy, while other security researchers see it as more akin to extortion. The practice, in either case, veers away from the more traditional ways bug hunters have worked with software vendors and security firms.
Just two weeks ago, LinkedIn, the popular social-networking site, got a taste of VDA's business practices, when the Michigan security company claimed it had found a critical security flaw in the LinkedIn Internet Explorer toolbar.
We've discovered an attack against the LinkedIn toolbar. If you are interested in the bug, we would like to give first right of refusal to purchase it. We'd also like to perform a more complete security audit of your products. We can help make the LinkedIn products more secure, DeMott stated in email sent to LinkedIn on 10 July.
The email continues: If you wouldn't like to buy it, then we are happy to resell or release as a full disclosure to help prevent security issues arising on end users' servers. We strongly believe in keeping users safe. We are unique in that we give vendors a first chance at the bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA Labs value-add document attached. If you'd like to buy the bug, we will provide working attack code, so that you can verify the bug, before you send the cheque.
VDA set a deadline of 17 July and requested a payment of $5,000 (2,457).
After failing to receive a response from LinkedIn, DeMott sent two emails on the eve of the deadline. One served as a reminder that the deadline was looming, and the other stated the price had increased to $10,000 (4,914).
Just developed the attack into a working exploit ($10K) now. Call me, DeMott wrote in the email.
Two days after the deadline passed and details of the security flaw and how to exploit it were published, DeMott sent another email to LinkedIn.
So, if your company policy is to not buy bug reports, would you be willing to sign up for consulting [with VDA] then? We could include this bug as part of the final report. I really just had to irresponsibly release this exploit, DeMott said in the email.
LinkedIn declined to comment. The company has since patched the exploit identified by VDA.
DeMott, who confirmed he sent the emails, defended his company's business practices and noted it's done to protect users by issuing them a heads-up, and by prompting vendors to take action to patch the flaw.
He also pointed to the VDA value document, which outlines his company's services and pricing.
Our business model is a little edgy, but we never saw it as extortion or thought of it that way, DeMott said. We wanted to do something that would really grab the vendor. The vendors don't make money [through] patching products. They're more interested in selling products. We were afraid they would try to put us on the back burner.
Some software companies do not work with security researchers as a matter of policy, and only act on vulnerabilities if flagged by their customers.
Other security researchers are critical of VDA's business model.
Anytime you have someone saying they have this, and that, unless you give them money, they'll do that, that's extortion, said Frederick Doyle, director of VeriSign iDefense research lab and a former police officer in the state of New York.
Johannes Ullrich, chief research officer for the Sans Institute, expressed similar sentiments.
I think this is extortion, particularly if he threatens to release the bug publicly if he's not paid, Ullrich said. You should not hold a bug hostage.
VDA is not alone in its business practices, said Terri Forslof, manager of security response for TippingPoint, which is owned by 3Com.
Post a Comment