No More Free Bugs is the new security researcher credo. A few high-profile bug hunters have decided gratis is a
goner and they're not giving away their work for nothin' no more. Vendors such as Apple, Oracle and Microsoft can find their own browser bugs and buffer overflows. These guys are taking their keyboards and fuzzers and are going home.
The reason for the change in attitude is apparently twofold: 1) Bugs are hard to find. What used to take a couple of hours of spare time to find now takes a weekend -- or a week, or a month; and 2) yesterday's young bug-finder is today's adult complete with spouses, kids, mortgages and bills to pay. They're not going to be satisfied with a tip-of-the-cap mention in the Patch Tuesday bulletin any more.
Gratis is a goner.
The revolution began at the CanSecWest conference in March in Vancouver where Charlie Miller won the Pwn2Own contest for the second consecutive year, and was paid $5K for the bugs he used to crack a fully patched Macbook. Shortly thereafter, Miller, Dino Dai Zovi, another Apple bug-hunter, and Alex Sotirov, a prolific Windows hacker, held up a modest cardboard sign bearing Miller's declaration of No More Free Bugs. And it was on.
They told attendees they want to get paid for work they're doing. Big software vendors such as the above-mentioned Apple, Oracle and Microsoft, who happen to employ very expensive security researchers of their own to ferret out bad code and patch problems before they reach the customer, are benefitting from free QA testing from these guys. Those days are over, they say.
Well, fine. But here's a question or two: Who is asking you guys to mess around with Windows, Mac OS X or Oracle DB? And while we're at it, why should the vendors pay you for work they did not contract you to do?
I talked to Charlie Miller and asked him that very question. I also asked him about critics who equate No More Free Bugs and demands for payment to extortion (I believe extortion is a ridiculous extreme in this case, considering the individuals involved and their motivations).
Miller concedes the point that bug finders aren't hired guns and emphasized he'd never blackmail a vendor with a bug he'd found.
"Regardless, I have piece of information that makes their product and their users more secure," Miller says. "How important is it to them that their products and users be secure? If they think it's important, then they should consider giving me compensation. They're more than free to have their security guys look for the same bug, so be it. They're under no obligation compensate, and we are under no obligation to give them the bug."
"What we really want is there to be some way researchers are compensated for important security vulnerabilities -- something that affects millions of users," Miller says.
Miller outlines a scenario he'd like to see where CERT or some other organization, supported by government and/or vendors, pay researchers. "Microsoft is paying an obscene amount of money ($250,000) for information about the author of Conficker. I think they can pay a million dollars toward a fund for researchers. Likewise for Apple, Oracle and others."
There's also talk of starting up a website where researchers would be able to report bugs that have been reported to vendors. Miller says the bugs would be verified and then posted to a feed that would illuminate the lag between disclosure and a fix.
Miller insists this isn't about disclosure, and shoos away the argument that sitting on a bug does more harm than good, countering with the thought that if there were compensation at the end of the bug-finding rainbow, he'd be more motivated to look for them.
TippingPoint's Zero-Day Initiative (ZDI) and VeriSign's iDefense Vulnerability Contribution Program (VCP) already offer payment for vulnerabilities. Bugs reported to these programs are disclosed to the affected vendors and details are shared with customers. Payment amounts are not disclosed because contributors are asked to sign non-disclosure agreements promising not to reveal the rewards. Ironically, ZDI sponsors Pwn2Own and has handed Miller a pair of cash awards for his efforts, despite Miller's general disagreement with ZDI.
"Their motivation in buying vulnerabilities is making their research of vulnerabilities easier so they can write more signatures for the IDS they sell," Miller says. "It doesn't matter to them how critical a bug is, they still have to make a signature for it. If you're Microsoft or Cisco, and I have a vulnerability that would let me write the next Conficker, (ZDI) wouldn't have the same interest the vendors would have, which would be to keep their customers safe. I love that they pay researchers, but it's probably not the best solution."
At the end of the day, Miller, Dai Zovi, Sotirov and anyone else standing behind the cardboard placard of No More Free Bugs aren't likely to start getting paid now, since they've never been before. And Miller understands this genie isn't going back into the bottle.
"I don't blame companies for not paying us. If I were getting free food from somewhere, I would never buy food again. It's the same with researchers and free bugs," Miller says. "We need to stop giving them information for free."
"I'd be completely shocked if it ever happens. Vendors are happy with the status quo; everyone is happy except us," Miller says. "No one is motivated to change except for us. The only thing we can do is hold back. Are we going to change things? We're going to do what we can do."
Michael S. Mimoso is Editor of Information Security. Send comments on this column to firstname.lastname@example.org.