[Infowarrior] - Flaw auction site highlights disclosure issues

Tue Jul 17 17:50:21 UTC 2007

 Flaw auction site highlights disclosure issues
Robert Lemos, SecurityFocus 2007-07-13
http://www.securityfocus.com/print/news/11474

Four years ago, rootkit guru Greg Hoglund found himself a day away from
launching an auction site for vulnerabilities.

The security researcher had created the Web site, lined up a handful of
vulnerabilities to kick off the auction, and even had leaked the story to
SecurityFocus. Riffing off eBay's fame, Hoglund had christened the site
ZeroBay. Yet, a day away from launching, the researcher pulled the plug
instead.

"I had a frank discussion with my wife, and we decided that the business
would have too many potential legal issues," said Hoglund, who now heads up
digital forensics firm HBGary. "We didn't want to accept the financial
liability for it."

The story serves as a cautionary tale for the creators of the first public
vulnerability auction site, the oddly named WabiSabiLabi, which went live
last week. The site has garnered wildly varied reactions from researchers
and professionals in the security industry -- some approving, others not --
but all agree that the auction site is breaking new ground.

Run by start up firm WSLabi, a Swiss-owned company, WabiSabiLabi launched
with four vulnerabilities -- including flaws in Linux, Yahoo Messenger and
SquirrelMail -- on the block at prices ranging from €500 to €2,000. The
company is manned with relatively unknown members of the security industry,
many from Italy. Perhaps the best known member of the team, Roberto
Preatoni, is the founder of defacement tracking and security Web site
Zone-H.org.

The site is off to a rocky start: The company has already had to pull two of
the vulnerabilities for sale. Researchers were able to pore through the
SquirrelMail code and find that flaw, while the Linux kernel issue was found
to be already public. Preatoni, director for strategy at WSLabi, said such
setbacks are expected.

"It will take time to see what (the auction model) will produce, either for
bad or for good," Preatoni said. "We are just doing our best to find a
viable way to redesign the vulnerability market in favor of the
researchers."

Yet whether the auction model is right for the security world is a big
question in the minds of many security professionals. A big ethical
consideration is whether the auction model will result in vulnerabilities
being fixed, or bought for use against unsuspecting targets. Some worry that
vulnerabilities will be sold to cybercriminals that will use them for
malicious reasons.

"The bottom line is that we know that selling vulnerability information can
be dangerous," said Terri Forslof, manager of security response for the Zero
Day Initiative, a vulnerability bounty program run by 3Com subsidiary
TippingPoint.

WSLabi does not notify the vendor of the vulnerabilities put on the auction
block but leaves that decision to the researcher selling the information.
The company is not the owner of the information, so the decision to notify a
vendor is not its to make, WSLabi's Preatoni said.

"The point is that we are not selling," Preatoni said in an e-mail interview
with SecurityFocus. "This is what most people didn't understand in our
business model. We just run facilities, offer visibility, and do the
marketing communications. The researcher is selling."

That's a deal breaker for others in the security industry. The ethical
problems and potential legal issues scuttled any thought of using auctions
for the Zero Day Initiative, TippingPoint's Forslof said.

"I'm not personally opposed to an auction," she said. "That was one of the
models we talked about ourselves with the Zero-Day Initiative. But we could
never find a way to make it work responsibly and make it fit into our
corporate value system."

TippingPoint would never consider bidding in the auctions, Forslof said.
Microsoft also nixed the idea.

"We do not believe that offering compensation for vulnerability information
is the best way we can help protect our customers," the software giant said
in a statement sent to SecurityFocus. "Our policy is to credit finders who
report vulnerabilities to us in a responsible manner."

While auction models might not help vendors, they do allow researchers to
potentially profit more from their discoveries.

In a recent paper, security researcher Charles Miller described his
experiences in selling vulnerabilities. One sale could have netted Miller
$80,000, but because he could not get the exploit code working for a
specific version of Linux, Miller settled for $50,000. The other sale, for
$12,000, was scuttled when Microsoft fixed the vulnerability in question.

Auctions level the playing field and allow competition for the information,
said Miller, who is a principal security analyst for Independent Security
Evaluators. For that reason, he supports WSLabi. "I think it's a great idea,
in theory," he said.

Yet, the company has some major hurdles ahead, he added.

Selling information is a tricky game. Give away too much to the seller, and
they don't need to buy the information any more. On the other hand, the
seller requires some information to place a value on the vulnerability.
That's why most people that sell vulnerability information have already
established credentials and trust with the buyers.

Miller believes that WSLabi currently lacks the credentials to act as a
middleman.

"These are, basically, people that I have never heard of before and I have
no reason to trust them," he said. "With TippingPoint and iDefense, you
basically don't have to worry about them screwing you over."

HBGary's Hoglund agrees. At the time when ZeroBay was ready to launch, he
was a known quantity in the industry and believes he had the clout to get
the concept off the ground. WSLabi has a way to go, he said.

"I don't think anyone knows who they are," Hoglund told SecurityFocus. "They
don't have any industry credibility and they are incorporated in a country
that does not appear to be their home country."

The reasons for the company's Swiss registration are no secret, said
WSLabi's Preatoni. The owners are based in Switzerland, so they decided to
incorporate in that country. However, the Swiss registration also heads off
many of the legal issues that the company might have in the United States or
in the European Union, he said.

"Switzerland has far more clear laws (regarding WSLabi's business model),
while, generally speaking, the laws in the EU are old laws subject to the
personal interpretation of the court (and represents) a huge gray area in
terms of legislation, which needs to be sorted out as soon as possible."

In the United States, while the auctioning of information is not illegal,
the act could create a great deal of liability for a U.S.-based company,
according to Jennifer Granick, executive director of the Center for the
Internet and Society at Stanford University's School of Law.

"Distributing the vulnerability to someone who is unknown -- but who is only
recommended by their ability to pay the highest price -- and then not
telling anyone else, adds liability," Granick said.

While the company does request that people who register to be a buyer or
seller provide identification, such a measure could be easily circumvented,
she added.

The auction site has shown one definite benefit, however: Publicly selling
vulnerabilities stokes interest in finding the flaws first. ISE's Miller
joined others in trying to track down the SquirrelMail vulnerability, which
was eventually found and even appears to have been previously submitted to
iDefense's Vulnerability Contributor Program.

"I don't think anyone would have looked at the code for SquirrelMail,"
Miller said. "The fact that they had (the flaw) on there, made me look at
the code."

While proponents of open-source software frequently argue that public source
code means that more people -- or "many eyes' -- will audit the code for
vulnerabilities, many open-source projects do not get frequent reviews.

If the auction site takes off, however, security researchers may continue to
try and beat buyers to the punch -- and that's a good thing, said HBGary's
Hoglund.

"As soon as you post up an auction, everyone in the industry is going to
take a look at the (the application)," he said. "And that puts thousands of
eyes on that code."