Jared DeMott is getting out of the vulnerability sales business. He has had enough of trying to sell information...
about security flaws to companies who do not seem interested. DeMott, a security professional who started US-based security assessment firm VDA Labs, found a security flaw in a popular social networking site's toolbar that could allow attackers to take over a PC. DeMott says he tried to sell the vulnerability to the company, but got no response, so he went public with the information. The affected firm patched the vulnerability within a day.
"What else were we going to do? We wanted to move on," says DeMott. Too many suppliers refuse to cooperate when approached with information about vulnerabilities in their products, he says.
If researchers find a major bug in a popular product, they can often sell that information easily to the provider of that product or to a security product supplier that will roll the information into its own tools. But it can be more difficult to sell information on less popular products such as business reporting tools, he says.
"We have found a number of flaws in products like that, and they are hard to unload," he says, adding that some suppliers will accuse researchers of extortion. "It is hard to find a legitimate buyer."
It is not hard to find illegitimate ones, however. "We have seen people paying hundreds of thousands of dollars in some of the underground markets," says Greg Day, security analyst for McAfee.
When people first began to understand that security in computing was going to be a problem, information about vulnerabilities and the exploits that used them spread slowly. They were exchanged among niche communities of hackers, as they are today, but the commercial internet was in its infancy, and the world was a much larger place. Now, a zero day attack can infect large swathes of the internet in hours.
A good example is the .ani zero day exploit that targeted Windows users in the spring. Malicious website operators quickly exploited the vulnerability in the operating system's animated cursor handling system, and were able to cause a buffer overflow when Internet Explorer users visited their sites.
In the worst cases, attackers were able to take complete control of a system. By 2 April, just a few days after the exploit had been released, security firm WebSense was reporting more than 100 sites using it, mainly in China. A week later, a day before Microsoft released a patch, the same company reported more than 2,000 sites getting in on the action, including some in Eastern Europe.
No wonder zero day exploits are such big business. As with most markets for valuable resources, it was only a matter of time before someone attempted to formalise the arrangement and introduce more liquidity.
Enter WabiSabiLabi, an auction site for vulnerability information that commenced business this summer.
Researchers can sell information about the vulnerabilities that they have discovered in various ways. They can conduct an auction with a predefined starting price, eBay style, or they can sell it to as many buyers as possible for a fixed price. It is also possible to arrange a private sale with a single customer.
Researchers submit their vulnerability information to the company, which then verifies the information in its own labs. If they pass the test, they can be sold. Researchers choosing not to sell exclusively to a private customer can also gather points for vulnerabilities as part of the company's Vulnerability Sharing Club, which assigns a score based on a vulnerability's maximum selling price.
These points can then be redeemed for further cash payments later on, in a process that Herman Zampariolo, CEO of the site's operating company WSLabi, calls "squeezing the lemon twice".
"It is growing very fast and we are overwhelmed. There are 10 new vulnerabilities per day being submitted," says Zampariolo.
But not everyone is convinced that auctioning off vulnerability information is a good idea. Terri Forslof is one of them. Forslof is manager of the security response team at Tipping Point, which operates a zero day initiative of its own.
The company buys vulnerabilities from researchers and uses them to enhance zero day protection in its own security products. It also passes those on to the software suppliers that own the vulnerable products, Forslof says. "It takes away from researchers having to work a deal with the product suppliers," she says. "We do the legwork for them."
Forslof worries that an auction site will be open to hackers who will then use purchased vulnerability information for their own illegitimate purposes. "If we were to see these vulnerabilities selling for large sums, you would have to make the assumption that there is going to be a return on investment to the buyer," she warns.
However, Zampariolo says that he is offering a legitimate alternative. "The black market for vulnerabilities already exists. We are not changing the existence of that market," he says. The company also has checks and balances in place, he argues. Those wishing to bid on vulnerabilities must present company certificates. Personal documents and a landline must also be provided.
"We screen both sides of the market in a way that not even Swiss banks are doing," he argues. However, one wonders whether such measures will be strong enough to ward off criminals who are often experts at identity theft and impersonation.
Emerson Tan is fundamentally opposed to the idea of anyone selling vulnerabilities. Tan is one of the people behind Packet Storm, a community of security researchers that publicly posts all vulnerabilities it finds as part of its zero tolerance policy on security flaws. The only exception to its full disclosure policy would be an internet-killing vulnerability that would take down the entire global network.
"Imagine that there was a set of circumstances where your car would burst into flames, killing you and your family in a cheerful, fiery inferno," he says, likening the vulnerability market to blackmail. "Now imagine that a person says, 'I know the set of circumstances in which your car will explode, but if you want to know, you will have to pay me. Oh and by the way, it is an auction'. How would you feel about that?"
Tan's question is a timely one. For the past few years, the argument has focused on whether researchers should publish information about security flaws straightaway, or whether they should give them to the suppliers to deal with at their leisure. "That argument is kind of dead in my mind," says DeMott. "This is the new question: is it okay to publicly trade vulnerabilities?"
However, Tan argues that, "Vulnerability information and the research that goes into it is a public good, in the same way that making sure kettles do not spontaneously explode is a public good."
He suggests that the real flaws lie in the law. "Somehow, via licence agreements, the software makers have managed to get out of this altogether. All the liability is passed on to the user." Looking at the average software end-use licence agreement, which essentially absolves the software supplier of any responsibility, it is difficult to disagree with him.
However, that may change if the House of Lords has its way. Its Science and Technology Committee's inquiry into personal internet security, published in early August, made several recommendations, but one of the most contentious was that European legislators should move to make product suppliers liable for security flaws. Should that occur, it would shake up the market considerably, and potentially make some suppliers more willing to pay researchers for their efforts.
The problem is that software suppliers have not always excelled at software security. So it could be argued that researchers provide a valuable independent resource that can help make products more secure. However, they do not spend hours picking through source code for free.
But there is yet another problem facing people trying to formalise the market for vulnerabilities. Publish too little information about the flaw and you may have difficulty gathering interest. Publish too much, and you may tip off hackers to reverse engineer an exploit purely from the description.
Zampariolo says that WSLabi has been experimenting with issues such as these in its early days, and at least one flaw had to be taken down because a patch was released within a few days of the listing.
Already, on some security forums, one individual philosophically opposed to WSLabi's operating model is publishing what he claims are fully engineered exploits for vulnerabilities listed on the auction site. The message attached to his posts reads: "End hacker oppression, destroy WabiSabiLabi!"
And while researchers have to eat, it is easy to see how trying to glean the largest payment possible for information about a vulnerability could be seen as extortion. "It assumes that all researchers wear white hats, but it is not taking into account that a lot of researchers are in it for the money," says Turner.
The approach taken by some firms such as the Mozilla Foundation, which offers £250 and a T-shirt under its bug bounty program, might catch many bugs. But will it catch the ones offered by unscrupulous researchers to higher-paying black market operators?
In an environment where the product is information, and where there is no known way to protect that information as intellectual property, anyone trying to formalise the market is playing a dangerous game. The business model that made eBay so successful may not apply when transferred to the darker regions of the internet.