No More Free Bugs?
The disclosure debate is raging once again and its even seeing some discussion on the SCADA mailing lists. This was stirred up by the No More Free Bugs “campaign” announced at Cansecwest by Miller, Sotirov, and Dai Zovi. Accomplished guys and names that should at least sound familiar if you try to stay current on security research.
So why the stir, whats changed? Well, not a whole lot, but economists may very well have some interesting things to study in the future. Its a sticky situation, and the time it takes to create a reliable exploit for complex vulnerabilities is considerable, and its understandable that a vulnerability researcher would want to be compensated for that time. But in most cases the vendor didn’t ask the researcher to look at their software, so they don’t feel obligated to pay, and may well feel like they’re owed the details since its in their software. And its near impossible to try to get compensation, even in the form of recognition on an advisory, without it feeling like you’re running a protection racket. So clearly theres a need for change of some sort to make sure that research continues, software improves, and end users stay safe.
I’m interested to see how this will this affect mainstream vs niche software (like SCADA systems), as vulns become more difficult to make into reliable exploits in software like Windows/Apache/IIS/etc do researchers turn their attention to more obscure software and hope for similar payoffs or do they keep going after the big stuff in hopes of fewer but larger payoffs? Potential damage from vulns in control systems are huge, but would vendors be willing to pay for the information? Will bug bounty programs like Mozillas become the rule rather than the exception?
This campaign alone won’t change things completely. Some researchers will sit on a mountain of 0day, some will drop everything they find on full disclosure, some will approach the vendor (some of those through a CERT) and others will sell it to a 3rd party. These approaches are generally accepted by various parts of the security community in one way or another, but the one that I’m most apprehensive about is the last one.
I see a slippery slope, and its a long way down there, but as markets grow regulation usually isn’t far behind, which isn’t necessarily a bad thing. But I fear the possibility of having to work under a licensed vulnerability broker, and the thought of auditing software and exploits having the same kind of gray/selectively enforced laws that locksmith tools have in many places today.
Deatils about our own disclosure policy can be found here.
Author: Daniel Peck
Posted: March 26th, 2009 under Big Picture, Vulnerability Disclosure.
Comments: 8
Comments
Comment from Jake Brodsky
Time: March 26, 2009, 8:30 am
In a market where there is really only one buyer (the software vendor) and one seller (the person who discovers the bug), how do you price such services?
Good luck to these guys for raising their prices. For all I know, they may be God’s gift to software bug discovery, but they seem to be missing a certain amount of business savvy. I can think of several other ways they could make good money from their skills…
Comment from Éireann Leverett
Time: March 26, 2009, 8:36 am
I’m glad you picked up the locksmith reference. As I’m sure you’re aware there are debates raging on the internet between locksmiths and hobbyist lockpicking groups right now. My main point is many professions have people who break things to learn something. Not all professions treat those people so disdainfully. Are people who crash test cars considered dangerous?
Basically, unenforceable laws are useless. So as far as I can tell, self imposed responsible disclosure, or at least a clear guideline of how *you* disclose is the best we can get. Then you hold the team to their own stated ethic.
Lastly, I still belive breakers are more useful to builders than builders currently understand. Look at how INL attack research culminated in patents (thanks for spotting that one DB). It’s just a matter of changing incentives and raising awareness.
Comment from Nick DePetrillo
Time: March 26, 2009, 9:38 am
Dan,
I agree, that third party scenario is scary. As we know though, there are third parties actively shopping for 0day in order to weaponize it and sell to others, even our own Government. I can think of a few companies that are known to do such things.
- Nick
Comment from Daniel Peck
Time: March 26, 2009, 10:14 am
Jake,
Curious what you mean by one buyer? Do you mean that you think that their should be only one?
ZDI and iDefense have a pretty clear interest in getting the information early so that they can build protection into their products before a patch (as we know, the patch reveals the bug).
Theres also various agencies, public and private that are interested in buying exploits.
With the current state of things it seems like a sellers market to me.
Comment from Ron Southworth
Time: March 27, 2009, 3:52 am
Hi Jake
I agree with the discomfort you are expressing as an end user.
The reality is that people are making a living out of software vulnerabilities and as such need to obtain an income. This does depend on the ethics and or motivations as to what form the income may take or is acceptable to the “code cutter” concerned.
I think it is a question of promoting an ethic that supports responsible disclosure management as has already been said. As an end user we certainly cannot do too much about it except for improving our overall security posture.
I don’t think you can ever mitigate against the unknown but we can do proactive things to encourage the improvement of code quality & the available attack surface of our systems to an acceptable risk appetite for a given catagory of attacker apropriate to their level of skills. Forensics and better detection and analasys tools are I suppose the overarching element to oversee system operation to detect any out of nominal behaviour.
Developing and practicing incident response capabilities to manage the impact of such attacks is probably the final thing to keep up to date.
Ron
Comment from Matthew Franz
Time: March 27, 2009, 9:11 am
DaveG’s blog over on Matasano cuts to the heart of the matter (both technically and on the value proposition of exploits & vulns) and also gets at the difference at why exploit writers are probably not going to be interested (sorry Jake) in security QA jobs. The motivation is different, the mindset is different. Inside a vendor, I was never an exploit developer only a bug finder. You don’t need to weaponize you just get the defect fixed. It is not about finding one way to do X, it is about coverage, repeatability, consistency, scaling this across multiple products & builds. (Also the difference between security engineering and hacking, IMHO, but I’ll stop there…)
From http://www.matasano.com/log/1547/vulnerability-research-times-they-are-a-changin/
“While there is no doubt that finding vulnerabilities in software we care about is hard, it pales in comparison to how hard it is to make a working exploit. Most vulnerability researchers want to write exploits not find bugs. The time spent in weaponizing an exploit is considerable, and gets tacked on to the total price tag of any identified vulnerability. For the vendor that results in artificial inflation, for someone who needs a working exploit it is the value proposition.”
To me this is good news for the good guys, although it might be less true for the brain-dead apps in this space where the vulns are easier to find…
Comment from Jake Brodsky
Time: March 27, 2009, 10:53 am
Matt, I think we’ll have to disagree here.
If this sort of behavior continues, I will rest uneasily, knowing that it WILL be outlawed. Mind you, the outlawing will not keep these guys from doing what they’re doing, but it will keep them from selling their results in the open.
It’s sort of like those people who like to make their own thermite in their garages. You can’t stop them, but you can prosecute them when they go public. And that’s precisely where these guys are taking the industry.
I wish it didn’t have to be this way. I wish these guys would get a clue and realize that they can do more to change the world from the inside than by posting snarky comments on the code quality of various vendors. This shows the immaturity of these people that they think that such behavior will make executives throw piles of money at them. I seriously doubt that will happen.
What it will do, however, is to force ignorant people to regulate the industry as a whole.
We’ll see who screams uncle first. Wanna take bets? 
Comment from Matthew Franz
Time: March 27, 2009, 11:37 am
Jake,
In the big picture of things ceasing immature rants against vendor aren’t going to impact the direction of regulating this space.
(While I certainly am no fan of the immature 20-something hacker change the world mentality, arguably you can make more impact working outside the system and it certainly gives you more an ego boost, which is what it is all about anyway, right?)
History is moving in that direction anyway.That train has left the station. All you have to look at is looming regulation to attempt solidify the financial infrastructure and see the writing on the wall for software and the network infrastructure. We saw the wild west in the 90s, commercialization in the 2000s and things will be quite different 5-10 years from now.
Write a comment