A rapidly rising secondary market for zero-day vulnerabilities and improved software coding practices are combining to reduce the number of submissions to the HP TippingPoint Zero-Day Initiative, according to a vulnerability researcher who is overseeing the bug bounty program.
As software development becomes more mature, submissions go down a little bit, but we're still focusing on critical software.
Brian Gorenc, manager, HP DVLabs
While the number of submissions appears to have declined this year, Brian Gorenc, manager of TippingPoint DVLabs at Hewlett-Packard, insists that a strong cadre of security researchers are submitting critical remote code execution vulnerabilities to the program. The flaws are in widely used software, Gorenc said, such as Java, Adobe Reader, Microsoft Internet Explorer and Mozilla Firefox.
"As software development becomes more mature, submissions go down a little bit, but we're still focusing on critical software," Gorenc said in an interview with SearchSecurity.com. "These vulnerabilities can cause widespread damage and our focus is to get them fixed."
The ZDI program took in a record 300 vulnerabilities in 2010 and the submissions increased to more than 350 last year. In 2012, ZDI has so far published 187 advisories for publicly disclosed vulnerabilities discovered by ZDI researchers.
The Zero-Day Initiative (ZDI) was created in 2005 and pays researchers up to $5,000 for serious vulnerabilities. Researchers can also earn points for each vulnerability purchased leading to cash bonuses and other perks. HP also sponsors annual contests with cash prizes for researchers that can demonstrate a working exploit. The researchers sticking by the program can use its existing relationships with software vendors to get recognition for finding the flaw and seeing that the software bug gets fixed, Gorenc said. "It lets those independent researchers focus on their work," he said. "We can act as a middleman for them and obviously they get compensated."
Gorenc said there are no anticipated changes to the ZDI program to address the growing secondary market for zero-day flaws. "We continue to see individuals who want to do security research and want to just do their research and get compensated for it," Gorenc said. "There will always be a place for the Zero-day Initiative. We will continue through 2013 and beyond."
Part of the decline can be traced to Google, Mozilla, Facebook and PayPal, which run programs to pay researchers for critical bugs submitted privately to them. Security firms such as VUPEN, openly admit that they sell exploits to governments and several firms have emerged selling vulnerability exploit information through a subscription model.
They claim to be ethical but the fact that they do not disclose to vendors is absolutely irresponsible and deplorable.
Chester Wisniewski, senior security advisor, Sophos Canada.
Gorenc said the focus is on a specific product for the software vendor programs, while the ZDI program tries to address the entire software ecosystem with the goal to get the flaws fixed. It's important for transparency to track where the vulnerabilities are going through the system and whether or not they have been fixed," Gorenc said.
"Our responsible disclosure policy has worked well for us since beginning of the program," Gorenc said. "We deal directly with the vendors and we validate the case for when they patch an issue."
Some security experts are dismissing the secondary market acknowledging the uncertainty of its impact. Vulnerability researchers should get paid for their work, but turning to the grey or black markets is the wrong approach, said Chester Wisniewski, a senior security advisor at Sophos Canada. Wisniewski rejected firms that fail to disclose flaws to software makers, calling the practice "unethical" and "irresponsible."
"They claim to be ethical but the fact that they do not disclose to vendors is absolutely irresponsible and deplorable," he said. "It's important as a software vendor to get treated fairly under clear rules."
Zero-day protection, mobile flaw submissions
HP also uses ZDI to feed zero-day threat protection to its line of TippingPoint IPS appliances. VeriSign's iDefense Vulnerability Contributor Program provides similar advantage to iDefense customers. VeriSign did not return a request for an interview about the status of its program. Gorenc said the ZDI helps boost threat protection, but HP also has other mechanisms, including threat feeds from its partners, that help boost zero-day attack detection.
Web application vulnerabilities typically make up the bulk of the submissions to the ZDI program. Gorenc said he anticipates more mobile vulnerability submissions in 2013. Mobile baseband, which operates the cellular activity on a smartphone, could is gaining the interest of researchers. "We're going to see people spending more time going after harder to get targets," he said.
Near Field Communications (NFC), a communications protocol being developed for mobile payments, is also gaining interest. Mobile browsers errors, mostly Webkit flaws, are more common, he said. Researchers are also submitting Java flaws at a steady pace. Gorenc said he anticipates more researchers looking at ways to bypass mitigations employed by software makers, such as data execution prevention (DEP) and address space layout randomization (ASLR), methods now being more widely deployed that make code execution more difficult.