The old image of vulnerability researchers is the teenage outcast tinkering away in the basement, finding flaws in Windows machines, Oracle databases and Cisco routers and releasing proof-of-concept exploit code at will to the dismay of the affected vendor. But somewhere along the way, something changed.
Today, one might say relations between vendors and flaw finders are almost friendly, a departure from the days where researchers like Next Generation Security (NGS) Software's David Litchfield and Oracle clashed over the database giant's security holes on a monthly basis.
So what happened? According to several vulnerability researchers, vendors are under growing pressure from customers to take security more seriously, leading the vendors to actively seek intelligence on their product flaws. In the process, flaw discovery has become an industry in itself, conducted in corporate settings with tighter rules on when and how flaw findings can be released to the public.
The power of money
As the chief technology officer of Immunity Inc., Dave Aitel has seen the change firsthand. When his company released attack code for the Windows TCP/IP flaw last week, Microsoft was far more accepting than it used to be under such circumstances. These days, when the software giant releases a security advisory, it is less likely to use its once standard language about a threat not being disclosed properly. As far as Aitel is concerned, the "responsible disclosure" tag was always a bit of a marketing term anyway and he's happy to see it used less often.
"I think there have been great pains in the last five years as to whether researchers should even go to the vendor [with their findings]," Aitel said. "Vendors pushed for responsible disclosure, and now there's a market for this information. People pay money. Any company bigger than a thousand people needs this information. That's where we get most of our sales."
With that in mind, flaw disclosure has turned into a respectable industry and vendors have taken a much more appreciative attitude toward the researchers. Microsoft, probably the target of more researchers than any other vendor, is a good example of that, Aitel said.
"As a rule they maintain a friendly attitude toward researchers," he said. "They know researchers are out there working on this, and there was a real revolution in their thinking. Today they have a very mature outlook."
Meanwhile, he said, the tone of flaw disclosure in the research community has changed for several reasons, most notably because many now work for big companies with lawyers, rules and regulations. Researchers are going where the money and the fun is, he said.
More opportunity for researchers
Danny Quist, chief executive officer and co-founder of Offensive Computing LLC, said a symbiotic relationship of sorts has developed between Microsoft and the research community. He said Microsoft was one of the first large companies to realize that having a lot of outsiders testing their software for them was a simple matter of economics.
"As long as they can control the distribution of information about the vulnerabilities in their software, they get free quality assurance," Quist said in an email exchange. "Their reward to the security researcher is that of credibility by mentioning their name in the vulnerability disclosure. Their outreach programs at venues like Black Hat are really making the community want to open up to them, or at least be more friendly about disclosure."
While there is still hoarding and selling of vulnerabilities, this has opened up more opportunities for the researchers, Quist believes. Large companies are offering in-depth security analysis and are willing to pay researchers well to find flaws for them. Finding enough flaws to make a living is sometimes difficult and competitive, and a steady paycheck is something that's nice to have, he said, adding, "Security research is big business and people need to make money to live."
New York-based researcher Dino Dai Zovie first started disclosing security flaws in 2000 and has made a name for himself discovering and reporting vulnerabilities in a variety of commercial operating systems and open source projects. From that vantage point, he has seen the shift in vulnerability disclosure practices from full disclosure toward what vendors like Microsoft would call responsible disclosure.
"Back then, many vendors were slow to react to reported vulnerabilities and the gentle threat of full disclosure, sometimes including a working live exploit, was necessary to encourage vendors to address the vulnerability in a timely fashion," he said in an email interview. "I had one large Unix vendor take roughly a year and a half to fix a remote code execution vulnerability I had reported, only to later patch it quietly without giving me any credit."
After that experience, he stopped reporting security vulnerabilities to the vendor in question, and grew increasingly frustrated with researchers who were quick to disclose the vulnerabilities publicly, since the vendors responsible often weren't responsive or appreciative. But much has changed in recent years, he said.
"More recently, large software vendors are more mature in their vulnerability report handling and patching practices and recognize the need to deal with external vulnerability researchers," he said, adding that most large vendors provide some sort of time frame to the researcher on when the issue will be addressed and are better at giving credit to those who find their flaws.
Signs of the past remain
As much as things have changed, some researchers point to examples of how the relationship between vendors and hackers can still be dicey. Israeli vulnerability researcher Aviv Raff said it really depends on the vendor or the severity of the flaw.
"There are vendors who will complain on publicly disclosing each and every vulnerability, even ones which are low severity, and there are vendors who won't complain even if you publicly disclose a critical vulnerability," he said. "I agree that some of the vendors did change their behavior in the past three years."
Raff is an ardent supporter of full disclosure when the impact is more positive than negative. For example, he won't disclose technical details of a zero-day vulnerability that might be used to create a worm, but will disclose that it is possible in order to push the vendor to fix this issue as soon as possible.
Quist said some software vendors also remain somewhat reluctant to pay for flaw intelligence, and it's typically simpler to sell it to third-party organizations. Vendors liken it to extortion, but the researchers refer to it as free quality assurance, he said, adding that the end result is that unless the vulnerabilities are reported to groups that are likely to notify the vendor, the flaw is going to continue to exist.
"Personally I would like to see more openness in the vulnerability economy," he said. "It would be nice, as a researcher, if a vulnerability could be sold, have some assurance that the vendor would be held to a set of standards for fixing the bug in a timely manner, and that [the researcher] would get a fair value for the information."
For his part, Quist uses three methods for disclosure. As he put it in an email, vendors pay his company to play hacker and limit the results of the disclosure to them. "In that case we absolutely do not disclose vulnerabilities to the public in any manner," he said. "It is up to the vendor to fix, disclose, or do anything they like with it." The company will also sell flaws to one of the third-party vulnerability clearinghouses.
These days, Quist said he's been "pretty busy with the first method so the second has fallen by the wayside," illustrating that things have indeed changed.