> I still dont see why a security company would > buy an exploit if it isnt public knowledge: what > use to his customer is "look at this root shell, > you are vulnerable, the vendor doesnt know, > the underground does, you cant patch"?!?! Paying for vulnerabilities gives the security company certain advantages. 1. Pen testing...having the latest and greatest vulnerabilities to exploit will set them apart. 2. Managed Services...being able to detect the latest and greatest vulnerabilities will set them apart. There's nothing that says someone else won't find the vulnerability themselves...remember, I had posited that the level of sophistication for finding vulnerabilties will increase dramatically is significant funds are involved. 3. Recognition...the security company itself can then make all or part of the vulnerability known to the public, or they can work directly with the vendor, so that their customers get first access to the patch before it's released to the general user public. Of course, that will also probably lead to 'special' subscription deals with vendors. Think about it...if some security company takes a vulnerability to, say, Sun Microsystems and works with them on the patch, don't you think that other users of the vendor's products, other than the security company's own customers, would be interested in a patch? Particularly if the vulnerability resulted in an immediate root shell for the attacker? Sounds like fertile ground for a 'gold' membership to me... > Sure there are workarounds, but whern a bug is found > the software needs to be fixed. Agreed. But if companies start offering money for exploits on a large scale, and it becomes part of "how things are", then the landscape is going to change dramatically. Right now, some of the folks who find vulnerabilities aren't doing it for financial gain. Many might end up getting job offers as a result of their activities, but they aren't being paid to find the holes. Heck, it wasn't so long ago that there was still a heated discussion on the win2ksecadvice list regarding disclosure... > So how are people going to sell >1 copy of their > exploit? That's not the point. They won't have to. Or, it will depend on the contracts they write and sign. > The first person to buy tells the vendoer, then its > public knowledge (of the vuln. the expolit code is > still rare). Okay, here's how I see it. Security companies will offer a bounty for vulnerabilities...and in doing so, there will be many conditions. For example, they'll want a complete write-up, perhaps even with exploit code (or that may even be extra). The conditions will have to be readily reproduceable. Before payment is made, certain legal documentation will need to be signed. After all, there is no benefit in paying for an exploit if the guy who found is going to sell it to your competitor. It's easy to see how the payment for the vulnerability will likely be in accordance with the level of devastation caused by the exploit, how widely exploitable it's likely to be, etc. Then, it's up to the security company as to when they'd like to contact the vendor. They may do so through some pre-arranged channel partnership. Credit for the vulnerability will now go to the security company...after all, they own the rights to this particular exploit, so it's theirs. Of course, they'd want to take it to the vendor, b/c as it becomes more and more commonplace to pay for exploits, the technical sophistication of those looking for and finding the vulnerabilities will increase. The practice will become more methodological, and less haphazard. > Now 99% of security comapnies can scan > for vuln (even if they dont get a root prompt), and > 1% can actually exploit. To the customer its the > same > "You are vulnerable" (show core dump/root prompt) > "get the patch from here, problem sorted". > None of the security companies need to buy the > exploit. The selling of exploits may become a huge market, if it gets off the ground. It's long-term revenue for both the security company and the vendor. Here's why...there will be lots of individuals and small groups out there, pounding away at products (most likely targetting those products w/ the greatest market share!!), trying to sell their exploits to security companies. Security companies, on the other hand, can create a 'gold' membership for their customers if they offer such a thing. This higher level of subscription membership will get them informed of the vulnerability and, oh, yeah, since we're providing security management services, you're protected. Now, I know what you're thinking. This is a lot of cruft. But look at all the security companies out there now who are selling 'services', when, in fact, they really aren't providing anything. Security companies that do pen testing usually charge a pretty high rate anyway. Adding the new exploits to their arsenal will be part of the business plan. Vendors can to the same thing with the subscription services. They can set up a service such that customers of theirs, while not being customers of the security company that submits the exploit, will be able to get the latest and greatest vulnerabilities before anyone else...for a fee. Say, like banks, financial institutions...pretty much anyone with a big investment to protect. > Knowledge of the vuln is surely enough? Is it? If the security company contacts the vendor and provides the vulnerability, but retains ownership of the exploit code, then folks like us will have to do a lot of work analyzing the patch after it comes out just to find out what it does. > Security companies pushing some of their cash > back into the underground to fund research, to find > bugs in software is a good idea - but the fruits of > that research must be public. If the security companies begin a trend of paying for exploits, who are you (or me, or anyone else) to say that it 'must be public'? > That leaves the leech comapnies doing no research > and still making a profit - but i guess most clients > would favour the ones perfoming active research, > whose name is known. Clients will favor those who can provide the best service. That may very well be the leech companies, as they'll be paying for the exploits, and their clients will receive knowledge of and protection from them before they are even public. And it doesn't have to be an extended period of time, as it was with sadmin/IIS, for example. Things will move much more quickly, as with Code Red. In fact, I can even see splinter groups that will find a new vulnerability, and in an effort to keep everything public, will release a proof of concept tool, such as Code Red. Carv __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com
This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 11:19:40 PDT