Bug Finders: Should They Be Paid?

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,54450,00.html

[When this was being talked about at Defcon 10, I overheard one party 
mention that if this was the case, then he could very well become a 
majority shareholder in iDefense with the number of vulnerabilities in 
his collection.  - WK]


By Michelle Delio 
1:25 p.m. Aug. 9, 2002 PDT 

A security company's offer to pay for information on bugs discovered
in software has once again stirred discussions over a long-simmering
issue -- whether independent researchers should receive compensation
for the flaws they find and how information about security
vulnerabilities should be disclosed.

Donors to security information firm iDefense's new Vulnerability
Contributor Program will receive cash awards of up to $400 for each
report of a software vulnerability. Additional bonuses will be paid if
the discoverer agrees to grant iDefense exclusive rights to the
information.

Some welcome iDefense's program, believing that researchers should
profit from their work, but others think that offering cash for
exploits will lead to unethical behavior by -- and possible legal
problems for -- bug hunters.

The widely held opinion within the computer security community is that
a bug hunter -- someone who pokes and prods software for security
flaws -- should either be employed by a software or security company
or do the work on a volunteer basis. At best, the bug hunter should
receive credit for discovering the exploit and perhaps access to tools
which could help the researcher continue work, such as inside
information or program code from software companies.

Bug hunters typically pride themselves on following the rules of
disclosure outlined in the Full Disclosure Policy written by a
security researcher known as Rain Forest Puppy.

The rules detail methods for alerting and working with software
manufacturers, and stipulate that "monetary compensation, or any
situation that could be misconstrued as extortion, is highly
discouraged."

Extortion in this case refers to a company perhaps feeling pressured
to pay a "finder's fee" to the bug hunter. That would turn what should
be an act of good will into a profitable venture, and perhaps lead to
legal hassles for the bug finder, who could be accused of blackmail or
other nefarious activities.

Most bug hunters notify vendors of any problems they discover and
then, once the issue has been addressed, freely post information about
it to a security discussion forum or mailing list such as
SecurityFocus' Bugtraq.

But recent events, such as the $75 million cash purchase of
SecurityFocus by software vendor Symantec, have left some wondering
whether researchers themselves should be able to profit from their
work.

"When I initially heard that a company was preparing to offer
financial rewards to security bug researchers, my first thought was
that it would turn those exploit finders into prostitutes rushing
around finding exploits to make a fast buck," said Marquis Grove of
Security News Portal. "But as I thought further on the subject I came
to the realization that over the years, everyone had been making money
off the work of these researchers except the researchers."

Grove favors iDefense's program, but others feel the Vulnerability
Contributor Program is another example of a company taking advantage
of independent bug hunters.

Security researcher H.D. Moore said the iDefense program "takes the
cake for the most obvious ploy to exploit the security community for
corporate profit."

"The amount they plan on dishing out is trivial in comparison to what
iDefense will be reselling this information for," he said.

Moore said that most of his and other researchers' bug hunting is part
of their paid work. Many are employed as security consultants or
systems administrators, so they are already rewarded for their
efforts.

"The rest of it I do because I like to," Moore said. "Researchers
don't need financial compensation to do what they do."

Many also feel that offering recompense for research will set a
dangerous ethical precedent.

"How long until someone sinister starts bidding against iDefense and
decides that they are willing to pay multiples more in order to lay
their hands on some information they deem desirable?" asked security
researcher A.J. Reznor. "This business model begs competition and the
thinkers involved, the ones doing the real exploit work, hold the all
the cards and can shop around and name their price."

As proof of potential problems in the making, Reznor pointed to
alternate pay-for-ploy systems that had been discussed at recent
security conventions.

Reznor also wondered what would happen in "fringe scenarios," where an
exploit ended up in the hands of a country deemed hostile by the
hacker's nation. Would such a sale count as treason?

Illinois attorney Nadine Guessler said that such a situation would
probably not result in a charge of treason, which she said would
require proof that the person acted willfully and with intent.

"But providing sensitive information that was or could be used against
the U.S. certainly would be an extremely uncomfortable situation to
become involved in," Guessler added.

While no one is accusing iDefense of selling secrets to the enemy,
some worry that cash rewards could encourage widespread unethical
behavior, such as bug hunters partnering with company-employed
programmers to purposely plant and then "discover" flaws.

IDefense spokesman Michael Cheek said that the company will only work
only with those who ethically discover valid vulnerabilities.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.