http://www.wired.com/news/technology/0,1282,54450,00.html [When this was being talked about at Defcon 10, I overheard one party mention that if this was the case, then he could very well become a majority shareholder in iDefense with the number of vulnerabilities in his collection. - WK] By Michelle Delio 1:25 p.m. Aug. 9, 2002 PDT A security company's offer to pay for information on bugs discovered in software has once again stirred discussions over a long-simmering issue -- whether independent researchers should receive compensation for the flaws they find and how information about security vulnerabilities should be disclosed. Donors to security information firm iDefense's new Vulnerability Contributor Program will receive cash awards of up to $400 for each report of a software vulnerability. Additional bonuses will be paid if the discoverer agrees to grant iDefense exclusive rights to the information. Some welcome iDefense's program, believing that researchers should profit from their work, but others think that offering cash for exploits will lead to unethical behavior by -- and possible legal problems for -- bug hunters. The widely held opinion within the computer security community is that a bug hunter -- someone who pokes and prods software for security flaws -- should either be employed by a software or security company or do the work on a volunteer basis. At best, the bug hunter should receive credit for discovering the exploit and perhaps access to tools which could help the researcher continue work, such as inside information or program code from software companies. Bug hunters typically pride themselves on following the rules of disclosure outlined in the Full Disclosure Policy written by a security researcher known as Rain Forest Puppy. The rules detail methods for alerting and working with software manufacturers, and stipulate that "monetary compensation, or any situation that could be misconstrued as extortion, is highly discouraged." Extortion in this case refers to a company perhaps feeling pressured to pay a "finder's fee" to the bug hunter. That would turn what should be an act of good will into a profitable venture, and perhaps lead to legal hassles for the bug finder, who could be accused of blackmail or other nefarious activities. Most bug hunters notify vendors of any problems they discover and then, once the issue has been addressed, freely post information about it to a security discussion forum or mailing list such as SecurityFocus' Bugtraq. But recent events, such as the $75 million cash purchase of SecurityFocus by software vendor Symantec, have left some wondering whether researchers themselves should be able to profit from their work. "When I initially heard that a company was preparing to offer financial rewards to security bug researchers, my first thought was that it would turn those exploit finders into prostitutes rushing around finding exploits to make a fast buck," said Marquis Grove of Security News Portal. "But as I thought further on the subject I came to the realization that over the years, everyone had been making money off the work of these researchers except the researchers." Grove favors iDefense's program, but others feel the Vulnerability Contributor Program is another example of a company taking advantage of independent bug hunters. Security researcher H.D. Moore said the iDefense program "takes the cake for the most obvious ploy to exploit the security community for corporate profit." "The amount they plan on dishing out is trivial in comparison to what iDefense will be reselling this information for," he said. Moore said that most of his and other researchers' bug hunting is part of their paid work. Many are employed as security consultants or systems administrators, so they are already rewarded for their efforts. "The rest of it I do because I like to," Moore said. "Researchers don't need financial compensation to do what they do." Many also feel that offering recompense for research will set a dangerous ethical precedent. "How long until someone sinister starts bidding against iDefense and decides that they are willing to pay multiples more in order to lay their hands on some information they deem desirable?" asked security researcher A.J. Reznor. "This business model begs competition and the thinkers involved, the ones doing the real exploit work, hold the all the cards and can shop around and name their price." As proof of potential problems in the making, Reznor pointed to alternate pay-for-ploy systems that had been discussed at recent security conventions. Reznor also wondered what would happen in "fringe scenarios," where an exploit ended up in the hands of a country deemed hostile by the hacker's nation. Would such a sale count as treason? Illinois attorney Nadine Guessler said that such a situation would probably not result in a charge of treason, which she said would require proof that the person acted willfully and with intent. "But providing sensitive information that was or could be used against the U.S. certainly would be an extremely uncomfortable situation to become involved in," Guessler added. While no one is accusing iDefense of selling secrets to the enemy, some worry that cash rewards could encourage widespread unethical behavior, such as bug hunters partnering with company-employed programmers to purposely plant and then "discover" flaws. IDefense spokesman Michael Cheek said that the company will only work only with those who ethically discover valid vulnerabilities. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 12 2002 - 02:54:13 PDT