Paying a Bounty for Security Flaws
Another security company on Monday offered to pay security researchers who discover and responsibly report security flaws in commercial software products.
The goal of the "Zero Day Initiative," announced Monday by TippingPoint, an Austin, Tex.-based security services firm owned by data networking heavyweight 3Com Corp., is to discourage bug finders and hackers from telling the whole world about a previously unknown software security flaw without first giving the software vendor advance notice and ample time to develop a patch to fix the problem.
Dave Endler, TippingPoint's director of security research, said the effort is especially aimed at people in the hacker underground who might otherwise sell the information to other bad guys or post it online for anyone to use.
"It's well known that underground crime groups in Eastern Europe are vying for and buying these vulnerabilities to conduct phishing and other targeted attacks," Endler said. "So, if we can notify the vendor of the problem and convince the discoverer to share the information with us instead of these other groups, that's a win-win for general Internet security."
Once TippingPoint has verified the vulnerability, it will offer the discoverer a payment in exchange for exclusive intellectual property rights to the information. Assuming the discoverer accepts the offer, the company will notify the software maker about the problem, and then share the specifics with other, approved security software companies. Those companies would be given enough information about the flaw to build in protections against it for their clients, but they would be forbidden from disclosing any details about it until the vendor releases a fix for the vulnerability.
This is hardly the first time a company has offered payment in exchange for the skinny on the latest software and hardware security flaws. Endler's previous employer -- iDefense Inc. , a Reston-based security intelligence firm in the process of being acquired by VeriSign -- had a nice business of buying and selling information about new exploits to high-paying clients, mainly banks and the Department of Homeland Security. Early on, iDefense caught a fair amount of flack for the program, as critics said it encouraged hackers to dig for exploits. But VeriSign's $40 million deal to buy the company shows the practice is becoming accepted in the cyber-security community.
Security flaws that the vendors themselves don't yet know about have become even more valuable in online criminal circles as companies and individual home users deploy increasingly sophisticated systems to ensure software security patches are applied before attackers can exploit the holes they close. So-called "zero day" exploits and vulnerabilities also are highly prized by companies in the business of providing custom security services that claim to protect customers from the latest threats, especially threats for which the vendor has not yet released a patch. By trumpeting their findings (whether those findings are bought or discovered in-house) security providers can look good while calling attention to their latest products and services.
TippingPoint declined to talk about how much it might pay for vulnerability information. "Honestly, we don't want to publicize prices because it creates an uneven set of expectations," Endler said. "Once you publish that information, you can't take it back."
Endler said, however, that just how much the company will pay for a given exploit or vulnerability would depend on a variety of factors, including how widely used the program is, how easy it is to exploit, and the level of damage an attacker could inflict by exploiting the flaw.
Whether TippingPoint's payments will rival that which online criminal gangs are willing to pay is open to debate (the scuttlebutt is that most of these companies pay three-figure or low four-figure sums for detailed information on security flaws).
The Zero Day Initiative received a chilly reception from at least some in the security research community, including several folks posting to Slashdot and "DailyDave," a mailing list run by Dave Aitel, who heads up New York City-based security research firm Immunity Sec. Then again, Immunity also will be competing to buy security flaws from researchers, information the company routinely shares with other members of its vulnerability sharing club (where a membership costs between $50,000 to $100,000 a year.)
Incidentally, the Mozilla Foundation, the maker of the Firefox Web browser, among other applications, has long offered a reward of $500 to anyone who finds a flaw in any of its current software that meets the criteria laid out in its Security Bug Bounty Program. I wonder if Microsoft would ever consider creating its own responsible disclosure rewards program? It might be cheaper in the long run than offering $250,000 bounties for the authors of the latest major worm that targets its Windows OS.
Posted by: Patrick | July 26, 2005 1:24 PM | Report abuse
Posted by: Dave Aitel | August 2, 2005 1:22 AM | Report abuse
The comments to this entry are closed.