[Infowarrior] - Zero-day sales not 'fair' - to researchers

[Richard Forno]

Original URL: 
http://www.theregister.co.uk/2007/06/03/market_value_of_software_security_vu
lnerabilites/
Zero-day sales not 'fair' - to researchers
By Robert Lemos, SecurityFocus
Published Sunday 3rd June 2007 08:02 GMT

Two years ago, Charles Miller found a remotely exploitable flaw in a common
component of the Linux operating system, and as many enterprising
vulnerability researchers are doing today, he decided to sell the
information.

Having recently left the National Security Agency, the security professional
decided to try his hand at selling the bug to the U.S. government. In a
paper due to be presented next week at the Workshop on the Economics of
Information Security (http://weis2007.econinfosec.org/), Miller - now a
principal security analyst at Independent Security Evaluators - writes about
the experience and analyzes the market for security vulnerabilities.

In the case of the Linux flaw, one agency offered him $10,000, while a
second told him to name a price. When he said $80,000, his contact quickly
agreed.

"The government official said he was not allowed to name a price, but that I
should make an offer," Miller told SecurityFocus. "And when I did, he said
OK, and I thought, 'Oh man, I could have gotten a lot more.'"

The sale underscores a significant problem for vulnerabilities researchers
that attempt to sell a flaw: Determining the value of the information. In
addition, time is a major factor: Miller felt pressured to complete the
deal, because if anyone else found and disclosed the flaw, its value would
plummet to zero. In a second attempted sale outlined in the paper, the
disclosure clock ran out for Miller as he tried to sell a PowerPoint flaw
that Microsoft patched this past February before the researcher could close
the deal.

Yet, researchers that sell vulnerabilities should also consider the ethical
issues involved, said Terri Forslof, manager of security response for
TippingPoint, a subsidiary of networking giant 3Com.

"The value of the vulnerability is determined by the amount of time that the
vulnerability can be used to get a return on investment before it is
patched," Foslof said. "If I'm paying $50,000 for a vulnerability, what am I
doing with it? I'm likely not trying to get it patched."

Miller's paper comes as sales of vulnerability information are becoming more
common (http://www.securityfocus.com/news/11437). Driven by researchers'
reluctance to give away hard-won information for free and the
standardization on flaw bounties through initiatives such as iDefense's
Vulnerability Contributor Program (http://www.securityfocus.com/brief/405)
and 3Com's Zero-Day Initiative (http://www.securityfocus.com/news/11253),
flaw finders are increasingly trying to get paid for their work.

Miller found out that selling a flaw for a fair price is difficult. While
the unnamed government agency offered the researcher $80,000, they placed a
condition on the sale that the exploit would have to work against a
particular flavor of Linux. Two weeks later and worried that the flaw might
be found, Miller accepted a lesser offer from the same group for $50,000 for
the exploit as is.

"While I was paid, it wasn't a full success," he wrote in the paper (PDF
(http://weis2007.econinfosec.org/papers/29.pdf)). "First, I had no way to
know the fair market value for this exploit. I may have been off by a factor
of ten or more."

Moreover, Miller had contacts in the government, but could not initially
find the right people with which to deal. So, he offer a 10 percent cut to a
friend who had better contacts. Other researchers might not be able to find
the right contacts to complete similar deals.

"The only reason this sale happened at all was because of personal contacts
I had, which should not be necessary for a security researcher who wants to
make a living," he wrote in the paper.

The sale of a second vulnerability did not go so well.

In January, Miller was approached by a friend who wanted to sell a flaw in
Microsoft PowerPoint XP and 2003. Miller found very little guidance in the
market to help him set a price, but he believed a company would pay up to
$20,000 for the flaw and a government agency, perhaps $50,000.

In reality, he only had a handful of offers but haggled one company up to
$12,000. Before he could close the deal, however, Microsoft released a fix
for the issue. The delay and difficulty in finding a buyer and the problems
in setting a price had essentially scuttled the deal, Miller said.

"I don't think it fair that researchers don't have the information and
contacts they need to sell their research," Miller said.

Yet, TippingPoint's Forslof stressed that selling to the government is not
necessary setting a fair price for a vulnerability. Legitimate markets
include companies that use vulnerability information to protect their
customers while they contact the vendor to get the issue fixed. The
government generally constitutes a gray market, because they most likely are
not going to notify the vendor and the researcher does not know how they are
going to use the information. The black market, where the buyers are likely
to use the vulnerability for illicit purposes, would likely pay the most
money but put end users in the most jeopardy.

"There are a range of prices when you are talking about fair market value
versus black market value," she said. "And the government is in a class of
their own. It's a matter of what is going to happen to that vulnerability
and how they are going to use it."

The answers to those questions drove one researcher to deal with a
vulnerability-buying program rather than selling to a government agency.

Security researcher Aviv Raff (http://aviv.raffon.net/) found two
trivial-to-exploit vulnerabilities in a component of the Windows Vista
operating system late last year. He shopped the more critical flaw to a
number of security companies as well as the two major vulnerability-purchase
programs. While some of the security companies bested the offers from
TippingPoint and iDefense, he declined to sell the flaw to them because they
would not commit to notifying Microsoft of the issue.

For the same reason, selling the vulnerability to the government was out of
the question as well.

"I wouldn't mind (selling the information to the government), if I knew they
will report it to Microsoft," Raff said.

Because of the terms of the sale, Raff cannot mention the name of the
program to which he sold the vulnerability nor the price at which he sold
it, except to say it's much less than $80,000.

Raff directly notified Microsoft of the less critical of the two
vulnerabilities. The software giant has not yet patched the flaws.

This article originally appeared in Security Focus
(http://www.securityfocus.com/news/11468).

Copyright © 2007, SecurityFocus (http://www.securityfocus.com/