Re: Bug Finders: Should They Be Paid?

[InfoSec News <isn () c4i org>]

Forwarded from: Emerson Tan <et () c4i org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 02:46 12/08/2002 -0500, you wrote:
> http://www.wired.com/news/technology/0,1282,54450,00.html
>
> [When this was being talked about at Defcon 10, I overheard one
> party  mention that if this was the case, then he could very well
> become a  majority shareholder in iDefense with the number of
> vulnerabilities in  his collection.  - WK]
>
>
> By Michelle Delio 
> 1:25 p.m. Aug. 9, 2002 PDT 
>
> A security company's offer to pay for information on bugs discovered
> in software has once again stirred discussions over a long-simmering
> issue -- whether independent researchers should receive compensation
> for the flaws they find and how information about security
> vulnerabilities should be disclosed.
<snip>
> While no one is accusing iDefense of selling secrets to the enemy,
> some worry that cash rewards could encourage widespread unethical
> behavior, such as bug hunters partnering with company-employed
> programmers to purposely plant and then "discover" flaws.

It's worth pointing out that at least one software firm tried this
internally in the early 90's and almost immediately hit the collusion
problem, resulting in a bunch of well off programmers and no
improvement in software quality. This company couldn't effectively
monitor it's own internal communications, so it's going to be very
hard for someone like iDefense to audit a scheme like this for this
kind of dishonesty.

Indeed the scam inside the software company was only discovered when
someone plotted out number of bugs discovered and pointed out that
there was no way that so many bugs could have crept into such small
bits of code. Without access to source for many products, iDefense
probably can't do this analysis. I would caution them to think twice
before engaging in this course of action unless they have very deep
pockets.

> IDefense spokesman Michael Cheek said that the company will only
> work only with those who ethically discover valid vulnerabilities.

This raises the question of what is an ethically discovered
vulnerbility and how do you find out.

If I steal the source for say IOS, and discover an exploitable
problem via source code analysis, I can invent a cock and bull story
and still be paid. iDefense is going to be no wiser unless they look
through all my poessions as I've faked my working notes (trival), and
have written some shifty test code (trivial again). This obviously
wasn't ethical.

Unless iDefense releases it's audit methodology and ethical criteron,
anything like this is going to be suspicious. It is left up to the
interested reader as to how to circumvent any safeguards iDefense may
have in this area.

Emerson

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPVenHQnUC24nNNxyEQK0cgCgvh8xxkbWXi9DZtcMsAE1kCehNyMAoKac
KfERN6gR07gLfP2A49xXsFKu
=+u40
-----END PGP SIGNATURE-----

---
"None are more hopelessly enslaved than those who falsely believe they are
free." - Goethe
Emerson Tan
Freelance Thinker
et () c4i org :PGP public key on request or from http://pgpkeys.mit.edu 
PGP key fingerprint: 71E9 0C2A CD8F 44AC 4CA5  BB3D 09D4 0B6E 2734 DC72



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.