[ISN] Zero-day sales not 'fair' - to researchers

From: InfoSec News (alerts@private)
Date: Mon Jun 04 2007 - 22:16:41 PDT


http://www.theregister.co.uk/2007/06/03/market_value_of_software_security_vulnerabilites/

By Robert Lemos
SecurityFocus
3rd June 2007 

Two years ago, Charles Miller found a remotely exploitable flaw in a 
common component of the Linux operating system, and as many enterprising 
vulnerability researchers are doing today, he decided to sell the 
information.

Having recently left the National Security Agency, the security 
professional decided to try his hand at selling the bug to the U.S. 
government. In a paper due to be presented next week at the Workshop on 
the Economics of Information Security, Miller - now a principal security 
analyst at Independent Security Evaluators - writes about the experience 
and analyzes the market for security vulnerabilities. Click here to find 
out more!

 In the case of the Linux flaw, one agency offered him $10,000, while a 
 second told him to name a price. When he said $80,000, his contact 
 quickly agreed.

"The government official said he was not allowed to name a price, but 
that I should make an offer," Miller told SecurityFocus. "And when I 
did, he said OK, and I thought, 'Oh man, I could have gotten a lot 
more.'"

The sale underscores a significant problem for vulnerabilities 
researchers that attempt to sell a flaw: Determining the value of the 
information. In addition, time is a major factor: Miller felt pressured 
to complete the deal, because if anyone else found and disclosed the 
flaw, its value would plummet to zero. In a second attempted sale 
outlined in the paper, the disclosure clock ran out for Miller as he 
tried to sell a PowerPoint flaw that Microsoft patched this past 
February before the researcher could close the deal.

Yet, researchers that sell vulnerabilities should also consider the 
ethical issues involved, said Terri Forslof, manager of security 
response for TippingPoint, a subsidiary of networking giant 3Com.

"The value of the vulnerability is determined by the amount of time that 
the vulnerability can be used to get a return on investment before it is 
patched," Foslof said. "If I'm paying $50,000 for a vulnerability, what 
am I doing with it? I'm likely not trying to get it patched."

Miller's paper comes as sales of vulnerability information are becoming 
more common. Driven by researchers' reluctance to give away hard-won 
information for free and the standardization on flaw bounties through 
initiatives such as iDefense's Vulnerability Contributor Program and 
3Com's Zero-Day Initiative, flaw finders are increasingly trying to get 
paid for their work.

Miller found out that selling a flaw for a fair price is difficult. 
While the unnamed government agency offered the researcher $80,000, they 
placed a condition on the sale that the exploit would have to work 
against a particular flavor of Linux. Two weeks later and worried that 
the flaw might be found, Miller accepted a lesser offer from the same 
group for $50,000 for the exploit as is.

"While I was paid, it wasn't a full success," he wrote in the paper 
(PDF) [1]. "First, I had no way to know the fair market value for this 
exploit. I may have been off by a factor of ten or more."

Moreover, Miller had contacts in the government, but could not initially 
find the right people with which to deal. So, he offer a 10 percent cut 
to a friend who had better contacts. Other researchers might not be able 
to find the right contacts to complete similar deals.

"The only reason this sale happened at all was because of personal 
contacts I had, which should not be necessary for a security researcher 
who wants to make a living," he wrote in the paper.

The sale of a second vulnerability did not go so well.

In January, Miller was approached by a friend who wanted to sell a flaw 
in Microsoft PowerPoint XP and 2003. Miller found very little guidance 
in the market to help him set a price, but he believed a company would 
pay up to $20,000 for the flaw and a government agency, perhaps $50,000.

 In reality, he only had a handful of offers but haggled one company up 
 to $12,000. Before he could close the deal, however, Microsoft released 
 a fix for the issue. The delay and difficulty in finding a buyer and 
 the problems in setting a price had essentially scuttled the deal, 
 Miller said.

"I don't think it fair that researchers don't have the information and 
contacts they need to sell their research," Miller said.

Yet, TippingPoint's Forslof stressed that selling to the government is 
not necessary setting a fair price for a vulnerability. Legitimate 
markets include companies that use vulnerability information to protect 
their customers while they contact the vendor to get the issue fixed. 
The government generally constitutes a gray market, because they most 
likely are not going to notify the vendor and the researcher does not 
know how they are going to use the information. The black market, where 
the buyers are likely to use the vulnerability for illicit purposes, 
would likely pay the most money but put end users in the most jeopardy.

"There are a range of prices when you are talking about fair market 
value versus black market value," she said. "And the government is in a 
class of their own. It's a matter of what is going to happen to that 
vulnerability and how they are going to use it."

The answers to those questions drove one researcher to deal with a 
vulnerability-buying program rather than selling to a government agency.

Security researcher Aviv Raff found two trivial-to-exploit 
vulnerabilities in a component of the Windows Vista operating system 
late last year. He shopped the more critical flaw to a number of 
security companies as well as the two major vulnerability-purchase 
programs. While some of the security companies bested the offers from 
TippingPoint and iDefense, he declined to sell the flaw to them because 
they would not commit to notifying Microsoft of the issue.

For the same reason, selling the vulnerability to the government was out 
of the question as well.

"I wouldn't mind (selling the information to the government), if I knew 
they will report it to Microsoft," Raff said.

Because of the terms of the sale, Raff cannot mention the name of the 
program to which he sold the vulnerability nor the price at which he 
sold it, except to say it's much less than $80,000.

Raff directly notified Microsoft of the less critical of the two 
vulnerabilities. The software giant has not yet patched the flaws.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

[1] http://weis2007.econinfosec.org/papers/29.pdf



_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 04 2007 - 22:28:53 PDT