[ISN] Security experts hit out at "unethical" bug finder

InfoSec News isn at c4i.org
Mon Mar 14 04:43:43 EST 2005


http://software.silicon.com/security/0,39024655,39128621,00.htm

By Will Sturgeon 
silicon.com
March 11, 2005 

Security experts have hit out at US firm Immunity Inc, which provides
paid-up members with vulnerability information under non-disclosure
agreements (NDA), which it subsequently keeps from vendors and the
world at large.

A silicon.com article last week revealed Immunity and its founder Dave
Aitel have been causing a stir in the security world in recent months
with a business model branded "unethical" but entirely above-board.

The greatest source of growing concern appears to focus on the NDA and
the potential for anybody to sign up and pay the price for
notification of vulnerabilities.

One rival bug finder, who operates along the more traditional lines of
informing the affected vendor of the flaw in its product and working
with them to patch it before releasing any details of the
vulnerability, has hit out at Immunity Inc.

Drew Copley, senior research engineer at eEye Digital Security, told
silicon.com the situation of signing members to a non-disclosure
agreement in return for information on security vulnerabilities is
"extremely unethical".

"What are these people missing here?" asked Copley. "Are they crazy?  
What prevents any organised criminal group or criminal from getting on
there and signing a NDA?"

"We treat security vulnerabilities that are not fixed yet by the
vendor as state secrets. Selling them to anyone who would pose as a
company or sign a NDA is highly unethical."

Copley said even "total disclosure", whereby everybody . vendors,
researchers and the general public alike - is given the information at
the same time would be preferable.

eEye was last week credited for working with Computer Associates to
fix flaws in CA's licensing software.

Simon Perry, VP security strategy at CA, told silicon.com: "Knowledge
cannot be effectively controlled. NDAs in the IT community as a whole
are not taken seriously and there do not appear to be adequate
controls to ensure that the information does not leak to those who
have an interest in creating a dangerous exploit."

"The business model deliberately creates a culture of the security
haves, and the security have-nots. It does not improve security
overall," he added.

Perry also questioned whether Aitel's customers are getting value for
money. Because vendors are kept out of the loop, flaws go un-patched
while Immunity's customers are given a workaround.

"You're given a workaround by Immunity, but you don't have a fix . a
patch from the vendor that permanently addresses the problem. The door
is closed, but it's not locked shut."





More information about the ISN mailing list