[ISN] Bug Finders: Should They Be Paid?

From: InfoSec News (isnat_private)
Date: Mon Aug 12 2002 - 00:46:33 PDT

  • Next message: InfoSec News: "[ISN] CodeCon 2003 Call for Papers"

    [When this was being talked about at Defcon 10, I overheard one party 
    mention that if this was the case, then he could very well become a 
    majority shareholder in iDefense with the number of vulnerabilities in 
    his collection.  - WK]
    By Michelle Delio 
    1:25 p.m. Aug. 9, 2002 PDT 
    A security company's offer to pay for information on bugs discovered
    in software has once again stirred discussions over a long-simmering
    issue -- whether independent researchers should receive compensation
    for the flaws they find and how information about security
    vulnerabilities should be disclosed.
    Donors to security information firm iDefense's new Vulnerability
    Contributor Program will receive cash awards of up to $400 for each
    report of a software vulnerability. Additional bonuses will be paid if
    the discoverer agrees to grant iDefense exclusive rights to the
    Some welcome iDefense's program, believing that researchers should
    profit from their work, but others think that offering cash for
    exploits will lead to unethical behavior by -- and possible legal
    problems for -- bug hunters.
    The widely held opinion within the computer security community is that
    a bug hunter -- someone who pokes and prods software for security
    flaws -- should either be employed by a software or security company
    or do the work on a volunteer basis. At best, the bug hunter should
    receive credit for discovering the exploit and perhaps access to tools
    which could help the researcher continue work, such as inside
    information or program code from software companies.
    Bug hunters typically pride themselves on following the rules of
    disclosure outlined in the Full Disclosure Policy written by a
    security researcher known as Rain Forest Puppy.
    The rules detail methods for alerting and working with software
    manufacturers, and stipulate that "monetary compensation, or any
    situation that could be misconstrued as extortion, is highly
    Extortion in this case refers to a company perhaps feeling pressured
    to pay a "finder's fee" to the bug hunter. That would turn what should
    be an act of good will into a profitable venture, and perhaps lead to
    legal hassles for the bug finder, who could be accused of blackmail or
    other nefarious activities.
    Most bug hunters notify vendors of any problems they discover and
    then, once the issue has been addressed, freely post information about
    it to a security discussion forum or mailing list such as
    SecurityFocus' Bugtraq.
    But recent events, such as the $75 million cash purchase of
    SecurityFocus by software vendor Symantec, have left some wondering
    whether researchers themselves should be able to profit from their
    "When I initially heard that a company was preparing to offer
    financial rewards to security bug researchers, my first thought was
    that it would turn those exploit finders into prostitutes rushing
    around finding exploits to make a fast buck," said Marquis Grove of
    Security News Portal. "But as I thought further on the subject I came
    to the realization that over the years, everyone had been making money
    off the work of these researchers except the researchers."
    Grove favors iDefense's program, but others feel the Vulnerability
    Contributor Program is another example of a company taking advantage
    of independent bug hunters.
    Security researcher H.D. Moore said the iDefense program "takes the
    cake for the most obvious ploy to exploit the security community for
    corporate profit."
    "The amount they plan on dishing out is trivial in comparison to what
    iDefense will be reselling this information for," he said.
    Moore said that most of his and other researchers' bug hunting is part
    of their paid work. Many are employed as security consultants or
    systems administrators, so they are already rewarded for their
    "The rest of it I do because I like to," Moore said. "Researchers
    don't need financial compensation to do what they do."
    Many also feel that offering recompense for research will set a
    dangerous ethical precedent.
    "How long until someone sinister starts bidding against iDefense and
    decides that they are willing to pay multiples more in order to lay
    their hands on some information they deem desirable?" asked security
    researcher A.J. Reznor. "This business model begs competition and the
    thinkers involved, the ones doing the real exploit work, hold the all
    the cards and can shop around and name their price."
    As proof of potential problems in the making, Reznor pointed to
    alternate pay-for-ploy systems that had been discussed at recent
    security conventions.
    Reznor also wondered what would happen in "fringe scenarios," where an
    exploit ended up in the hands of a country deemed hostile by the
    hacker's nation. Would such a sale count as treason?
    Illinois attorney Nadine Guessler said that such a situation would
    probably not result in a charge of treason, which she said would
    require proof that the person acted willfully and with intent.
    "But providing sensitive information that was or could be used against
    the U.S. certainly would be an extremely uncomfortable situation to
    become involved in," Guessler added.
    While no one is accusing iDefense of selling secrets to the enemy,
    some worry that cash rewards could encourage widespread unethical
    behavior, such as bug hunters partnering with company-employed
    programmers to purposely plant and then "discover" flaws.
    IDefense spokesman Michael Cheek said that the company will only work
    only with those who ethically discover valid vulnerabilities.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 12 2002 - 02:54:13 PDT