Information Security News mailing list archives
Re: Bug Finders: Should They Be Paid?
From: InfoSec News <isn () c4i org>
Date: Tue, 13 Aug 2002 04:25:46 -0500 (CDT)
Forwarded from: Emerson Tan <et () c4i org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 02:46 12/08/2002 -0500, you wrote:
http://www.wired.com/news/technology/0,1282,54450,00.html [When this was being talked about at Defcon 10, I overheard one party mention that if this was the case, then he could very well become a majority shareholder in iDefense with the number of vulnerabilities in his collection. - WK] By Michelle Delio 1:25 p.m. Aug. 9, 2002 PDT A security company's offer to pay for information on bugs discovered in software has once again stirred discussions over a long-simmering issue -- whether independent researchers should receive compensation for the flaws they find and how information about security vulnerabilities should be disclosed.
<snip>
While no one is accusing iDefense of selling secrets to the enemy, some worry that cash rewards could encourage widespread unethical behavior, such as bug hunters partnering with company-employed programmers to purposely plant and then "discover" flaws.
It's worth pointing out that at least one software firm tried this internally in the early 90's and almost immediately hit the collusion problem, resulting in a bunch of well off programmers and no improvement in software quality. This company couldn't effectively monitor it's own internal communications, so it's going to be very hard for someone like iDefense to audit a scheme like this for this kind of dishonesty. Indeed the scam inside the software company was only discovered when someone plotted out number of bugs discovered and pointed out that there was no way that so many bugs could have crept into such small bits of code. Without access to source for many products, iDefense probably can't do this analysis. I would caution them to think twice before engaging in this course of action unless they have very deep pockets.
IDefense spokesman Michael Cheek said that the company will only work only with those who ethically discover valid vulnerabilities.
This raises the question of what is an ethically discovered vulnerbility and how do you find out. If I steal the source for say IOS, and discover an exploitable problem via source code analysis, I can invent a cock and bull story and still be paid. iDefense is going to be no wiser unless they look through all my poessions as I've faked my working notes (trival), and have written some shifty test code (trivial again). This obviously wasn't ethical. Unless iDefense releases it's audit methodology and ethical criteron, anything like this is going to be suspicious. It is left up to the interested reader as to how to circumvent any safeguards iDefense may have in this area. Emerson -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPVenHQnUC24nNNxyEQK0cgCgvh8xxkbWXi9DZtcMsAE1kCehNyMAoKac KfERN6gR07gLfP2A49xXsFKu =+u40 -----END PGP SIGNATURE----- --- "None are more hopelessly enslaved than those who falsely believe they are free." - Goethe Emerson Tan Freelance Thinker et () c4i org :PGP public key on request or from http://pgpkeys.mit.edu PGP key fingerprint: 71E9 0C2A CD8F 44AC 4CA5 BB3D 09D4 0B6E 2734 DC72 - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Bug Finders: Should They Be Paid? InfoSec News (Aug 12)
- <Possible follow-ups>
- Re: Bug Finders: Should They Be Paid? InfoSec News (Aug 13)
- Re: Bug Finders: Should They Be Paid? InfoSec News (Aug 14)