[Infowarrior] - Bug brokers offering higher bounties

[Richard Forno]

 Bug brokers offering higher bounties
Robert Lemos, SecurityFocus 2007-01-23
http://www.securityfocus.com/print/news/11437

Adriel Desautels aims to be the go-to guy for researchers that want to sell
information regarding serious security vulnerabilities.

The co-founder of security group Secure Network Operations Software
(SNOSoft), Desautels has claimed to have brokered a number of deals between
researchers and private firms--as well as the odd government agency--for
information on critical flaws in software. Last week, he bluntly told
members of SecurityFocus's BugTraq mailing list and the Full-Disclosure
mailing list that he could sell significant flaw research, in many cases,
for more than $75,000.

"I've seen these exploits sell for as much as $120,000," Desautels told
SecurityFocus in an online interview.

It's a statement that underscores the increasing acceptance of the sale of
vulnerability information. Once a frowned-upon practice, the sale of such
information is taking off. Flaw bounty programs such as TippingPoint's
Zero-Day Initiative (ZDI) and iDefense's Vulnerability Contributor Program
(VCP) have added legitimacy to the practice, even if they remain
controversial. Software vendors have had to increasingly get used to dealing
with third parties reporting security flaws that were bought from anonymous
researchers. Microsoft, for example, patched at least 17 flaws reported by
the two programs in 2006, up from 11 reported in 2005.

Desautels, now the chief technology officer for boutique security firm
Netragard, highlighted the trend by announcing a program on Wednesday
whereby the security company would act as a broker to any researcher with a
critical flaw to sell. The program could be a more lucrative option for
freelance researchers aiming to sell information on software
vulnerabilities.

In many ways, the push by researchers for greater returns on their research
efforts is part of the ebb and flow of the debate over the proper way to
disclose information about software vulnerabilities. In 2000, a researcher
known as Rain Forest Puppy released a basic framework, dubbed the RFPolicy,
for disclosing vulnerabilities in a way that seemed fair to responsible
software makers. In 2002, two security researchers further refined the
guidelines and submitted them to the Internet Engineering Task Force (IETF),
but the technical standards body decided that setting disclosure policy was
outside of its jurisdiction. Over the past few years, software makers, and
Microsoft in particular, have focused on holding researchers to the
guidelines, calling such disclosure "responsible."

It's been an uneasy truce, and one that has fractured in many places. In
2005, a researcher attempted to auction off information about a flaw in
Microsoft Office. Other flaw finders have decided to just release details of
vulnerabilities they have found as a punishment for, what they believe to
be, irresponsible behavior on the part of the software vendor. In the last
six months, for example, a number of researchers have collected advisories
on potential security issues into month-long releases of daily bugs. The
trend started with the Month of Browser Bugs in July and continues with the
latest Month of Apple Bugs this month.

Now, flaw finders fed up with software vendors are increasingly turning to
third parties to buy their research.

"One of the reasons why the hacking community is so frustrated with large
corporations is because these corporations are making a killing off their
research and they are not seeing fair value for their work," Desautels said
in an online interview with SecurityFocus.

Software makers typically do not pay for vulnerability information, with the
notable exception of the Mozilla Foundation. The well-known public bounty
programs typically pay thousands of dollars for original vulnerabilities,
while lesser-known private deals can net a researcher tens of thousands of
dollars, according to security experts.

The amounts quoted by Desautels are not excessive, according to experts
interviewed by SecurityFocus.

In September, for example, a private buyer approached noted security
researcher HD Moore and offered between $60,000 and $120,000 for each client
side vulnerability found in Internet Explorer, the founder of the Metasploit
Project said. Moore declined to pursue the offer, but said that such prices
are typical of high-level private purchases, while information on serious
flaws in generic enterprise-level applications can be sold to safe
buyers--such as 3Com's ZDI program and VeriSign's VCP program--for between
$5,000 and $10,000.

"The ZDI and (VCP) programs are definitely the easier way to sell a
vulnerability, but at the 5x or 10x multipliers you see from a private
buyer, it's usually worth the effort," Moore told SecurityFocus in an e-mail
interview.

Ethics continues to be a central question in the sales.

Paying $75,000 for vulnerability research likely means that the buyer is a
government agency, and not a private company, said Terri Forslof, manager of
security response for 3Com's TippingPoint. And that raises a number of
questions that should concern any ethical researcher, such as which
government and whether the software vendor is notified of the vulnerability.

"When you are paying $75,000 for a vulnerability, that tells me that you are
not reporting it to a vendor," Forslof said.

Because vulnerability information has a very short lifespan, recouping tens
of thousands of dollars spent on buying a security flaw is difficult.
However, by not telling the software vendor, it's likely that the value of
the information can be preserved longer.

That fact leads to a trade off between ethics and profit for most
researchers. Under the accepted responsible disclosure timeline, the flaw
finder could notify the software vendor, pressure it to fix the flaw, wait
months for a patch to come out and, perhaps, get acknowledged in the
advisory. On the other hand, the researcher could sell the information for a
significant price and not ask questions about the buyer.

"The buyer with the highest price often wins, but ethics do come into play
when the business of the buyer can't be verified," Metasploit's HD Moore
said in an e-mail interview.

Currently, the gray market does not seem to necessarily compete with
government buyers. Rewards can be higher on the gray market compared to
3Com's and VeriSign's programs, with typical offers for client-side
vulnerabilities ranging from $5,000 to $50,000, he said. However, government
purchasers will generally bid higher.

Raimund Genes, chief technology officer for antivirus firm Trend Micro, has
also seen offers for zero-day flaws between $5,000 and $20,000 in the gray
market. More often, however, buyers attempt to trade credit-card numbers or
goods, he said.

A notable exception occurred last month, when a researcher attempted to sell
an alleged vulnerability in Microsoft's Windows Vista operating system for
$50,000, according to Genes. That could be a sign that criminal enterprises
are willing to compete for vulnerabilities.

"Definitely, they guy who was offering to sell (the flaw) though it might be
possible," Raimund said. "It might not be out of range."

Fraudsters and spammers could turn a significant vulnerability into a
widespread collection of compromised PCs--a bot net. Spammers have netted
significant profits from stock-touting campaigns, while fraudsters have used
bot nets to launch denial-of-service attacks as part of an extortion
campaign or harvest valuable data from the systems.

Companies, on the other hand, have to justify the expense of buying
vulnerabilities through enhanced services or penetration tests bolstered by
sure-fire 0-day exploits.

For 3Com's TippingPoint, the Zero Day Initiative (ZDI) gives its researchers
a leg up on attackers and competitors, because having the flaw information
means more time to create and test the filters for exploits using the
vulnerability. The company also gets publicity and a selling point for its
services.

Still, it's not always an easy sell, 3Com's Forslof said.

"We continually have to justify where we recoup the cost," she said.
"Mainly, we consider that we recoup it in research--look how much you would
have to pay a top-notch researcher."

Some smaller firms have hit on ways to better profit from vulnerability
information.

While 3Com's and VeriSign's well-known vulnerability purchasing programs
have legitimized the trade in security research, smaller boutique firms that
cater to penetration testers or that have high-value vulnerability
disclosure lists could become significant competitors.

Buenos Aires-based Argeniss Information Security, for example, pays only for
a small number of critical vulnerabilities. The company adds the information
to its Ultimate 0day Exploits Pack, an add-on set of attacks for the popular
penetration testing tool, CANVAS. A 0-day exploit in Microsoft's Internet
Explorer or Outlook can bring in a dozen new customers in a day, Cesar
Cerrudo, founder and CEO of the Argeniss, told SecurityFocus in an e-mail
interview

"For sure, we will pay more than iDefense," Cerrudo said. "Anyone will pay
more than iDefense."

The nascent marketplace for vulnerabilities could suffer a shakeup if
companies such as Argeniss and Netragard keep up the price pressures.

In 2002, security firm iDefense--now part of Internet giant VeriSign--kicked
off its Vulnerability Contributor Program (VCP), offering thousands of
dollars for security vulnerabilities. While the program grew quickly,
unveiling 150 vulnerabilities in 2005 including 11 flaws in Microsoft
software, the number of vulnerabilities outed by the program declined in
2006. The company only published 81 advisories in 2006 for flaws found by
VCP researchers, only four of which were in Microsoft software (corrected).
Earlier this month, the company offered $8,000 for the first six Windows
Vista or Internet Explorer 7 vulnerabilities exclusively sold to its
program.

The Zero-Day Initiative started at TippingPoint, now a division of
networking giant 3Com, had strong growth in 2006. The program, started in
July 2005, only released advisories for 3 flaws that year, but published
information on 54 vulnerabilities--including 13 in Microsoft software--in
2006. The company does not publish the prices it pays for vulnerability
information, but aims to compete directly against iDefense.

"To date, we have not lost out to iDefense on any offer," said Forslof. "We
have people that have shopped around and they have always gone with us in
the end."

iDefense did not make a spokesperson available for comment on its
Vulnerability Contributor Program. However, a former iDefense manager
believes that the industry still has room for more competitors.

"The vulnerability industry, in general, is still an immature industry,"
said Michael Sutton, the former director of iDefense Labs and current
security evangelist for SPI Dynamics. "I think there is enough volume for at
least a half dozen different players."

If the efforts of Microsoft and other major software vendors reduce the
number of critical flaws, security researchers stand to gain from
competition between buyers, Sutton said. Relying on selling vulnerability
information could pay the rent, he said.

"You would be hard pressed to find someone who relies solely on the income
from vulnerability research," Sutton said. "But the prices are getting high
enough that, depending on where you lived and how good of a researcher you
were, you could make a living."

CORRECTION: The article undercounted the number of Microsoft issues found by
researchers participating in VeriSign's Vulnerability Contributor Program
(VCP) in 2006. The program's contributors found four issues in Microsoft
software.