Money changes everything. Just when security researchers and software companies seemed to reach a consensus on the contentious issue of publicizing information about computer security flaws, businesses that sell vulnerability information are disturbing the peace.
Last week, at the CanSecWest computer security conference in Vancouver, Canada, I debated the ways commercialization has changed vulnerability reporting during a panel discussion that included independent researchers as well as executives and employees from Oracle, Novell, Intel, 3Com and iDefense. My conclusion is that more commercialization means more private control, and that is not a good thing for security.
A few years ago, hackers and software vendors vigorously argued whether researchers should go public with security flaws so users could protect themselves and demand better products from vendors, or if they're better off keeping the information quiet so as not to aid malicious attackers. Eventually, consensus formed around a middle ground called "responsible disclosure": Researchers would generally report their discovery of flaws, but withhold information useful to attackers until after vendors issued a patch.
Meanwhile, vendors would publicly credit the researcher with finding the flaw. The practice recognized the importance of public disclosure, but sought to balance it against the danger of providing easy-to-use tools to wannabes and script kiddies.
The détente has not been perfect. Computer security professionals, including Oracle's Darius Wiles on our panel, continue to disagree over how much information adequately informs the public without helping attackers. Researchers continue to disagree with software vendors about the amount of time it takes to fix problems in good faith. And not all researchers or companies adhere to the responsible disclosure framework, though many do.
Also, as college student and researcher Matt Murphy pointed out, we ask a lot from the researcher, who performs a valuable and labor-intensive service in finding bugs, only to give the information to the vendor, in exchange for nothing more than the promise of a shout-out.
Into this gap, a new type of security company has emerged: information brokerage firms that pay researchers a finder's fee for security holes.
Michael Sutton from iDefense told us that his company, which pays between a few hundred dollars and $10,000 for a vulnerability, reports the information first to the affected vendors, then passes it on to paid subscribers. Terri Forslof's company, 3Com, also pays a bounty for bugs, and uses the information to improve its TippingPoint intrusion-prevention system.
I have advised two businesses that had plans to auction vulnerabilities to the highest bidder on eBay. (After talking with me, each decided not to take the risk.)
Some vendors have decided to pay researchers directly for bugs. For example, Mozilla has a Bug Bounty Program that gives researchers $500 and a T-shirt for their finds.
I see real benefits to the public, researchers and vendors from this trend to commercialization: An information broker may be better than the researcher at communicating and working with the vendor. A reputable broker may have better luck than an unknown researcher in getting the vendor to take a security problem seriously and deal with it in a timely manner. Meanwhile, the researcher gets both credit and financial compensation. The promise of compensation will incentivize more research, and more research means more bugs are found.
But commercialization can also be dangerous. Foreign governments, corporate spies, the mafia, terrorists and spammers want vulnerabilities that no one else knows about and for which there are no patches. These groups have always been motivated to gain control of vulnerability information at any price, even before information brokerage became relatively commonplace.
Some members of the CanSecWest audience worried that commercialization makes it easier for researchers to sell to the highest bidder, even if the highest bidder has criminal intentions.
I'm more concerned that commercialization, while it promotes discovery, will interfere with the publication of vulnerability information. The industry adopted responsible disclosure because almost everyone agrees that members of the public need to know if they are secure, and because there is inherent danger in some people having more information than others.
Commercialization throws that out the window. Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem.
The insiders who know about the flaw could exploit it, attacking those systems whose administrators remain unaware. Even if that doesn't happen, the broker business depends on customers feeling the need to pay for early notification. Toby Kohlenberg from Intel somewhat rhetorically asked the brokers on our panel whether they expected a company that wants all the up-to-date security information to subscribe to multiple brokerage services at a potential cost of up to $1 million a year.
Now that information brokers pay researchers for information, they are going to want to control what happens with that information. Michael Sutton, director of the iDefense Lab, says his company has no plans to sue researchers or customers who redistribute vulnerabilities without permission. Unauthorized disclosure, Sutton says, "is part of the business." But at some point, an information broker that wants to prevent researchers, customers and insiders from disclosing to nonpaying members of the public will seek protection in intellectual property law.
Copyright law can prevent a broker's paying customers from redistributing a patch to those who have not paid. Trade secret law can prevent insiders or entities under nondisclosure agreements from informing the public about a flaw. Patent law can prevent even those who independently discover the flaw from testing for it or patching it.
Murphy and some other panelists argued that vendor purchase programs like Mozilla's work better than information broker programs because they are the most responsible form of disclosure, and vendors can use financial incentives to drive research toward the most dangerous flaws.
Yet, vendors have already demonstrated that they're willing to claim intellectual property infringement when researchers seek to disclose vulnerability information about their products. I have represented security companies that wanted to publish information about a flaw, but were informed by the vendor that they would be sued for trade secret violations if they did so. In the criminal case of United States v. Bret McDanel, a now-defunct internet messaging service convinced the Department of Justice to prosecute a man who had the temerity to inform customers that the service was insecure. More recently, Cisco Systems sued researcher Michael Lynn for disclosing a flaw in its routers. Cisco asserts that its concern was not for the company's reputation, but for customers' security.
Regardless, if courts accept the theory that Cisco has property rights in vulnerability information, it gives fuel to those who want to hide that information for private gain rather than public good. Now that vulnerability information is a commodity, there's more pressure for the law to protect that information as a business asset, rather than encourage its disclosure in the public interest.
We are already living in a failed, broken computer security market. The average customer doesn't have the knowledge to demand better security so vendors don't have an incentive to provide it. Commercialization exacerbates the problem by casting vulnerabilities as a market commodity -- no different than software or songs.
But it is different. Like clean air or public parks, the public needs vulnerability information. Yet, like polluters or real estate developers, there are private interests willing to pay big bucks to ensure that information is only useful to a select few. Vulnerability disclosure plays a special role in promoting public security. As vulnerability brokerages grow, policy makers and courts must recognize that this is not just another information market.[an error occurred while processing this directive]