Advance information on security vulnerabilities is golden, and at least one security intelligence firm is willing...
to pay handsomely for it, despite criticism that the practice undermines overall Internet security.
Since last August, iDefense has openly solicited information on previously unknown vulnerabilities, paying hackers between $500 and $1,000 for their discoveries.
The firm uses the data collected through its Vulnerability Contributor Program (VCP) to provide clients with advance security warnings and fixes.
"In one fell blow, we can provide our clients with timely vulnerability information while doing good for the Internet community by taking the announcement through the vendor disclosure process," said David Endler,iDefense's director of technical intelligence. "A lot of vulnerabilities are traditionally just posted to Web sites and mailing lists without the benefit of vendor notification."
Accepting vulnerability tips and information from the digital underground is nothing new. Security firms will often collaborate with hackers to verify and correct vulnerabilities. What's new is paying hackers, a practice that's drawing mixed reviews.
"Security companies that provide financial incentives to find flaws in systems and share the vulnerabilities with vendors as they are discovered contribute to society by pumping money into
However, in a recent Packet Storm poll, only 9.1% of the respondents said firms that purchase vulnerabilities from hackers contribute to the security of the Internet. And nearly one-third say the practice stimulates the disclosure of zero-day vulnerabilities.
"The idea of rewarding people for trying to break into systems -- even if they're doing it benignly on their own as a hobby -- really strikes me as the wrong approach," said Gene Spafford, a Purdue University computer science professor and director of the Center for Education and Research in Information Assurance and Security.
"If companies hired these people as full-time, in-house employees, that's one thing," Spafford added. "But to be offering a bounty outside the company is conveying the message that anyone can break into systems and make money from it."
Several security vendors and research firms contacted for this story say they don't pay hackers for vulnerabilities. However, sources say that it's a common under-the-table practice among IT consultancies and some security vendors, who use the information to gain an advantage over competitors.
"Security firms who use this practice don't want their clients to know that they don't have the talent in-house," said Gary Bahadur, CIO of security firm Foundstone.
iDefense built VCP with controls to ensure the information it buys comes from reliable, legitimate sources. Without going into too many specifics, the firm says it checks out contributors before accepting information.
In most cases, VCP contributors are students, white and gray hat security enthusiasts and professionals. Endler said the firm avoids dealing with black hats. Depending on the severity of the vulnerability and the exclusivity of the information, iDefense will pay between $400 and $900 per vulnerability, and a $100 bonus for allowing iDefense to lead the vendor notification process.
iDefense declined to specify the maximum amount it has paid for a vulnerability, but indicated it would negotiate outside its established range for "juicy information."
"The money is just an additional incentive for people sitting on vulnerabilities to release the information," said Matt Conover, founder of the w00w00 hacker group.
Critics say it's nearly impossible to verify the identity of hackers peddling their wares, especially if those people want to remain anonymous.
"There are a lot of shades of gray heading toward black in this area," said Foundstone's Bahadur. "A legitimate researcher investigates vulnerabilities for name recognition and to try to help the security industry. If you're in it for the money, odds are you're using that exploit for some other purpose as well."
iDefense covers the misuse of vulnerability information through its contractual agreements. Hackers are prohibited from sharing their discoveries with others until the firm has completed its disclosure process -- which usually takes two weeks.
"iDefense is able to formulate stopgap workarounds and countermeasures to mitigate exploitation during the exposure window that exists until a vendor fix becomes available," Endler said.
Pundits say contractual agreements are virtually meaningless to many members of the digital underground. While iDefense may be protecting its paying customers, an unscrupulous hacker could collect his bounty and still exploit scores of enterprises that don't receive the advance intelligence.
Critics also say there's no way of controlling information once it's released to a third party.
"Companies [that engage in this practice] may prohibit the discoverer from posting to underground lists, but taking into account all the recipients of the information, there's no way to know for sure that it won't be," Spafford says.
Some information may leak, but supporters say this process is more responsible than many of the existing disclosure models.
"It's better for someone to get paid to find a vulnerability and give it to a responsible security company that will contact the affected vendor and arrange for a fix, rather than allowing it to circulate in the underground, where it may remain unknown to the security community," Conover said.
Legal and Ethical Concerns
The ultimate lack of control over purchased vulnerability information is what really concerns traditional white hat security practitioners. They say there's too many "what ifs" to make this practice worthwhile.
"There's the ethical issue of really not being able to control who is buying this stuff, followed by the liability issue that's introduced that overwhelms the possible benefits of doing it," said Ed Skoudis, VP of security strategy at Predictive Systems. "Overall, I think it's unethical, and it doesn't make economic or business sense because you're going to be sued big time."
The issues of legal liability, however, aren't clearly defined.
"Several potential areas of liability may be implied, but I must emphasize that the law in this area is very unclear," said Michael Overly, a partner at Foley & Lardner, a firm that specializes in Internet law. "While not specifically engaging in reverse engineering and other activities themselves, the security companies might be held 'vicariously' liable. They could be seen as simply paying money to someone else to engage in potentially illegal or unauthorized activity."
Legal and ethical issues aside, iDefense and other companies will likely continue vulnerability payment programs for the time being. "I think this practice is completely widespread in the industry," said Theo de Raadt, project leader of OpenBSD. "If we fix a whole bunch of these vulnerabilities now -- even if money is what accelerates it -- we'll be more secure, and new vulnerabilities will be discovered and fixed in a continuous cycle."