Does Exposing Flaws Promote Security?
When a recent hacking contest won security researcher Dino Dai Zovi a $10,000 award for breaking into a MacBook Pro computer by exploiting a flaw he'd discovered, the contest reignited a long-simmering debate over "responsible disclosure" of vulnerabilities.
Research firm Gartner denounced public hacking contests as an inappropriate way to conduct vulnerability research, noting such contests can run "contrary to responsible-disclosure practices" that give vendors a chance to develop patches or remediation before public announcements. TippingPoint paid the $10,000 award for the conference-run contest and found itself under fire from competitors, including McAfee and Internet Security Systems, both of which oppose paying rewards for vulnerability discoveries.
For the enterprise network manager, the notion of responsible disclosure has centered on the idea that major security flaws in products they use wouldn't be shared publicly in any way until a software vendor corrected them. That's the underlying premise of what's called the Organization for Internet Safety (OIS) guidelines first released five years ago and updated in 2004. An effort spearheaded by Microsoft, the OIS guidelines now face criticism from some of the very people who wrote them, who argue enterprises should know about serious flaws early for purposes of security workarounds.
At the same time, there's the question of whether paying big bucks for critical software-hacking exploits makes the enterprise network safer or is simply creating more risk as a market for hacker discoveries grows.
Behind all the sound and fury, it's clear that security vendors can profit by being the first in the know about critical unpatched software flaws that would affect hundreds of thousands of users.
"We're against public hacking contests but we are in favor of actively looking for vulnerabilities," says Mike Denning, vice president of security services at VeriSign, which has 40 full-time internal researchers and works with 300 outside contractors, as Denning calls them, to gain exclusive rights to new software vulnerabilities, the more critical the better. These exclusive rights mean the researcher won't sell them to anyone else, nor discuss them, allowing VeriSign to make whatever use of the information they wish.
VeriSign, which got into the pay-for-research information business by acquiring iDefense two years ago, won't say what it pays these contractors for original research. But VeriSign offers a "vulnerability notification service" that runs into the "multiple six-figures per year," for purchase by enterprises, government agencies and software vendors, Denning says. He says that at the same time the vulnerability information is sent to subscribers, it is also shared with the software vendor whose software needs to be fixed. The advantage for customers is they know about problems early and can put in workarounds, though word about flaws could leak out before a vendor had a security fix ready.
VeriSign and TippingPoint, a 3Com division, are the only two security vendors widely known to be paying independent researchers for vulnerability information, with TippingPoint incorporating the information into its Digital Vacine service for intrusion-prevention systems and VeriSign with the vulnerability-notification service.
TippingPoint's manager of security response, Terri Forslof, says the internal research team consists of about 20 people, while TippingPoint has signed up about 500 independent researchers under the Zero Day Initiative (ZDI) program launched two years ago. ZDI-signed researchers get paid when they deliver original information about software flaws for exclusive use by TippingPoint.
TippingPoint's outside researchers are from "all over the world, Pakistan, Nepal, China, U.S. and Europe," says Forslof.
The more critical the software flaw, particularly for widely used applications, the more money researchers will earn. The $10,000 paid to Zovi in April represents a "fair baseline," says Forslof. As to the criticism, Forslof says she doesn't agree with Gartner's statement about responsible disclosure and public contests. Forslof, who five years ago was working in Microsoft's security response center and helped craft the responsible-disclosure guidelines that Microsoft sought to rally the security industry behind, says these standards are no longer relevant.
"They're basically dead," says Forslof about the OIS guidelines that defined responsible disclosure as not revealing anything about a security flaw until the vendor had a patch.
"The OIS standards were a valiant effort, but in the end the OIS was designed to help vendors manage things on their end," she says. The vulnerability research TippingPoint acquires helps it keep the TippingPoint intrusion-prevention system updated to protect against flaws before they are public.
McAfee, which does support the OIS guidelines, opposes sharing information with a customer until a patch is ready. Dave Marcus, McAfee's security research and communications manager, said McAfee also opposes paying outside researchers for vulnerability information, saying it's a bad incentive that pushes security research "over the deep end."
Kris Lamb, director of the X-force research-development team at IBM's Internet Security Systems division, says paying contractors for vulnerabilities doesn't make it ethical or safe. "They are creating a cottage-industry market of purchasing of unsanitized vulnerability information," he says. "It's an illusion of control. They only know what the researcher wants them to know. They're brokering information that makes the world less safe."
To such criticisms, VeriSign and TippingPoint respond they only deal with reputable security researchers.
"We track the bad actors," says VeriSign's Denning, adding that hacker groups like Wicked Rose in China or the Russian Business Network won't be paid by VeriSign. "We know what they are."
Into the midst of this debate, Frost & Sullivan last month issued its first study on vulnerability research to analyze which players are doing the most in terms of points scored in the number of vulnerabilities found.
According to Frost & Sullivan's "2006 World Vulnerability research market," VeriSign and TippingPoint, the only two security vendors known to be paying big bucks for software flaws, topped the list and accounted for about a quarter of the total 509 reported Windows, Linux/Unix and Macintosh vulnerabilities. The remainder were logged by about 70 others, including eEye Digital Security, Red-Database Security GmbH, ISS and McAfee.
Rob Ayoub, Frost & Sullivan's industry manager in network security, says the research suggests that software vendors don't often find security flaws in their products on their own, and that independent vulnerability researchers, with the exception of a few like Austin-based H.D. Moore, may be flocking to those who pay them rather than publicizing finds on their own.
The responsible-disclosure question is an important one because it has a direct effect on customer security, says Amichai Shulman, chief technology officer at Imperva.
"We knew about an incredible Oracle exploit in 2005 and we told them, and it took them five months to patch it," he says. "And three months ago, we discovered something in a large commercial database software, and it's not fixed now."
"As a rule, we don't disclose it to customers if we don't see it being exploited. But if I know of a vulnerability, sooner or later someone else will know of it," he said. One of the main pressures holding down the public disclosure of security flaws is that several vendors, including Microsoft, Oracle, and Sybase, among others, have threatened lawsuits in the past. "They say, by disclosing it, you're endangering our customers, so there's a danger of being sued."