[ISN] Paying for Flaws Pays Off for iDefense

From: InfoSec News (isn@private)
Date: Fri Mar 04 2005 - 02:09:44 PST


By Ryan Naraine 
March 3, 2005 

Internet security specialist iDefense Inc. has released a
reverse-engineering tool to the open-source community as part of its
controversial strategy of buying the rights to information on security
flaws found by underground researchers.

The decision to roll out the IDA Sync tool was driven by a need to
"contribute to the cycle" of making flaw-finding easier for the
private individuals who participate in iDefense's VCP (Vulnerability
Contributor Program).

The 3-year-old VCP involves financial incentives to anonymous
researchers who agree to give up exclusive rights to advance
notification of unpublished vulnerabilities or exploit code to

Michael Sutton, director of iDefense Labs, said the wild success of
the program has driven the company to release tools like IDA Sync,
which is used to allow multiple analysts to synchronize their
reverse-engineering efforts in real-time within the IDA Pro

In an interview with eWEEK.com, Sutton said groups of researchers can
use the IDA Sync plug-in to connect to the disassembler and share
comments and name changes.

"A large group of researchers can now pick apart a program and share
their findings with each other right within IDA Pro, which is the
de-facto standard for disassembling within Windows," Sutton said.
In addition to IDA Sync, iDefense has previously released tools such
as IDA pGRAPH, a plug-in that generates control-flow graphs; IDA
Function Analyzer, a IDA C++ plug-in designed to provide an abstracted
layer over "chunked" functions; and the Attack Vector Test Platform, a
tool that was used in the research for the paper titled "A Comparison
of Buffer Overflow Prevention Implementations and Weaknesses."

Flaw-finding has generated big business—and invaluable publicity—for
the Reston, Va.-based iDefense. So far this year, the company is
credited with the responsible disclosure of 36 security bulletins,
including major flaws in products sold by Computer Associates
International Inc., RealNetworks Inc. and Apple Computer Inc.

Sutton said that more than 80 percent of all vulnerabilities reported
by iDefense were purchased from private, sometimes anonymous, software

"We'll pay for the exclusive intellectual property rights to the
research, and this program works for everyone. The researchers make
money for their work, the vendors get the benefit of responsible
advance notices, and the end users get well-tested patches."

Not everyone agrees. Firas Raouf, chief operating officer of eEye
Digital Security, thinks that the business of buying rights to flaw
information is a dangerous practice.

"We don't believe that finding software vulnerabilities should be a
for-profit business. We have a problem with paying for flaws. People
should not be rewarded financially with finding flaws. Researchers
should consider that finding flaws is an end in itself to make the
world a more secure place," Raouf said in an interview.

iDefense's Sutton, however, argued that buying the information is the
only way to make flaw discovery a scaleable business.

"Last year, we released more than 100 public advisories. If you were
to hire a team to come up with that volume in a year, it would cost a
ton of money. The VCP gives us a very flexible, scaleable business

Sutton refused to discuss how much money is paid for the rights to a
flaw discovery.

When the program launched in 2002, the company was offering up to $400
per vulnerability, and eEye's Raouf believes it is now in the range of
$3,000 each.

"You have to remember there is a very lucrative underground market for
this information. There's a lot of work being done on the organized
crime side to get this information, and the prices being offered are
quite high," Raouf said.

Raouf supports software vendors offering financial incentives, much
like the Mozilla Foundation's bounty program that pays up to $500 for
any critical bug found in the open-source code base.

"Finding vulnerabilities should be part of a manufacturer's QA
[quality assurance] process. Microsoft, for example, is investing a
lot of resources on training to help developers write secure code. It
has worked quite well for Mozilla to get more professionals picking
away at the code," Raouf said.

"Paying for this kind of information could have some implications. You
end up getting people who aren't necessarily experts in the field
trying to find something and sell it to the highest bidder … Once you
start this, unless there's a strict process in place to manage it, you
may end up with more problems for everyone," Raouf added.

A spokeswoman for Microsoft said the company has never paid for
information on product bugs from private individuals.

"We credit finders who report vulnerabilities under responsible
disclosure and, from time to time, [we have] contracted security
research companies to review code for products under development," the
spokeswoman said.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Fri Mar 04 2005 - 03:44:17 PST