Re: [ISN] Bug Finders: Should They Be Paid?

From: InfoSec News (isnat_private)
Date: Tue Aug 13 2002 - 02:25:46 PDT

  • Next message: InfoSec News: "[ISN] New computer security dilemma: a lack of viruses"

    Forwarded from: Emerson Tan <etat_private>
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    At 02:46 12/08/2002 -0500, you wrote:
    >http://www.wired.com/news/technology/0,1282,54450,00.html
    >
    >[When this was being talked about at Defcon 10, I overheard one
    >party  mention that if this was the case, then he could very well
    >become a  majority shareholder in iDefense with the number of
    >vulnerabilities in  his collection.  - WK]
    >
    >
    >By Michelle Delio 
    >1:25 p.m. Aug. 9, 2002 PDT 
    >
    >A security company's offer to pay for information on bugs discovered
    >in software has once again stirred discussions over a long-simmering
    >issue -- whether independent researchers should receive compensation
    >for the flaws they find and how information about security
    >vulnerabilities should be disclosed.
    >
    <snip>
    >
    >While no one is accusing iDefense of selling secrets to the enemy,
    >some worry that cash rewards could encourage widespread unethical
    >behavior, such as bug hunters partnering with company-employed
    >programmers to purposely plant and then "discover" flaws.
    
    It's worth pointing out that at least one software firm tried this
    internally in the early 90's and almost immediately hit the collusion
    problem, resulting in a bunch of well off programmers and no
    improvement in software quality. This company couldn't effectively
    monitor it's own internal communications, so it's going to be very
    hard for someone like iDefense to audit a scheme like this for this
    kind of dishonesty.
    
    Indeed the scam inside the software company was only discovered when
    someone plotted out number of bugs discovered and pointed out that
    there was no way that so many bugs could have crept into such small
    bits of code. Without access to source for many products, iDefense
    probably can't do this analysis. I would caution them to think twice
    before engaging in this course of action unless they have very deep
    pockets.
    
    >
    >IDefense spokesman Michael Cheek said that the company will only
    >work only with those who ethically discover valid vulnerabilities.
    
    This raises the question of what is an ethically discovered
    vulnerbility and how do you find out.
    
    If I steal the source for say IOS, and discover an exploitable
    problem via source code analysis, I can invent a cock and bull story
    and still be paid. iDefense is going to be no wiser unless they look
    through all my poessions as I've faked my working notes (trival), and
    have written some shifty test code (trivial again). This obviously
    wasn't ethical.
    
    Unless iDefense releases it's audit methodology and ethical criteron,
    anything like this is going to be suspicious. It is left up to the
    interested reader as to how to circumvent any safeguards iDefense may
    have in this area.
    
    Emerson
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBPVenHQnUC24nNNxyEQK0cgCgvh8xxkbWXi9DZtcMsAE1kCehNyMAoKac
    KfERN6gR07gLfP2A49xXsFKu
    =+u40
    -----END PGP SIGNATURE-----
    
    ---
    "None are more hopelessly enslaved than those who falsely believe they are
    free." - Goethe
    Emerson Tan
    Freelance Thinker
    etat_private :PGP public key on request or from http://pgpkeys.mit.edu 
    PGP key fingerprint: 71E9 0C2A CD8F 44AC 4CA5  BB3D 09D4 0B6E 2734 DC72
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 05:02:32 PDT