[iwar] [fc:Bug.Finders:.Should.They.Be.Paid?]

From: Fred Cohen (fc@all.net)
Date: 2002-08-10 08:41:12


Return-Path: <sentto-279987-5160-1028994044-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sat, 10 Aug 2002 08:43:07 -0700 (PDT)
Received: (qmail 9080 invoked by uid 510); 10 Aug 2002 15:39:26 -0000
Received: from n23.grp.scd.yahoo.com (66.218.66.79) by all.net with SMTP; 10 Aug 2002 15:39:26 -0000
X-eGroups-Return: sentto-279987-5160-1028994044-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.67.193] by n23.grp.scd.yahoo.com with NNFMP; 10 Aug 2002 15:40:44 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_7_4); 10 Aug 2002 15:40:44 -0000
Received: (qmail 49336 invoked from network); 10 Aug 2002 15:40:44 -0000
Received: from unknown (66.218.66.218) by m11.grp.scd.yahoo.com with QMQP; 10 Aug 2002 15:40:44 -0000
Received: from unknown (HELO red.all.net) (12.232.72.152) by mta3.grp.scd.yahoo.com with SMTP; 10 Aug 2002 15:40:43 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g7AFfCP03004 for iwar@onelist.com; Sat, 10 Aug 2002 08:41:12 -0700
Message-Id: <200208101541.g7AFfCP03004@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sat, 10 Aug 2002 08:41:12 -0700 (PDT)
Subject: [iwar] [fc:Bug.Finders:.Should.They.Be.Paid?]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20
X-Spam-Level: 

Bug Finders: Should They Be Paid?
By Michelle Delio

1:25 p.m. Aug. 9, 2002 PDT

A security company's offer to pay for information on bugs discovered in
software has once again stirred discussions over a long-simmering issue --
whether independent researchers should receive compensation for the flaws
they find and how information about security vulnerabilities should be
disclosed.

Donors to security information firm iDefense's new Vulnerability Contributor
Program will receive cash awards of up to $400 for each report of a software
vulnerability. Additional bonuses will be paid if the discoverer agrees to
grant iDefense exclusive rights to the information.

Some welcome iDefense's program, believing that researchers should profit
from their work, but others think that offering cash for exploits will lead
to unethical behavior by -- and possible legal problems for -- bug hunters.

The widely held opinion within the computer security community is that a bug
hunter -- someone who pokes and prods software for security flaws -- should
either be employed by a software or security company or do the work on a
volunteer basis. At best, the bug hunter should receive credit for
discovering the exploit and perhaps access to tools which could help the
researcher continue work, such as inside information or program code from
software companies.

Bug hunters typically pride themselves on following the rules of disclosure
outlined in the Full Disclosure Policy written by a security researcher
known as Rain Forest Puppy.

The rules detail methods for alerting and working with software
manufacturers, and stipulate that "monetary compensation, or any situation
that could be misconstrued as extortion, is highly discouraged."

Extortion in this case refers to a company perhaps feeling pressured to pay
a "finder's fee" to the bug hunter. That would turn what should be an act of
good will into a profitable venture, and perhaps lead to legal hassles for
the bug finder, who could be accused of blackmail or other nefarious
activities.

Most bug hunters notify vendors of any problems they discover and then, once
the issue has been addressed, freely post information about it to a security
discussion forum or mailing list such as SecurityFocus' Bugtraq.

But recent events, such as the $75 million cash purchase of SecurityFocus by
software vendor Symantec, have left some wondering whether researchers
themselves should be able to profit from their work.

"When I initially heard that a company was preparing to offer financial
rewards to security bug researchers, my first thought was that it would turn
those exploit finders into prostitutes rushing around finding exploits to
make a fast buck," said Marquis Grove of Security News Portal. "But as I
thought further on the subject I came to the realization that over the
years, everyone had been making money off the work of these researchers
except the researchers."

Grove favors iDefense's program, but others feel the Vulnerability
Contributor Program is another example of a company taking advantage of
independent bug hunters.

Security researcher H.D. Moore said the iDefense program "takes the cake for
the most obvious ploy to exploit the security community for corporate
profit."

"The amount they plan on dishing out is trivial in comparison to what
iDefense will be reselling this information for," he said.

Moore said that most of his and other researchers' bug hunting is part of
their paid work. Many are employed as security consultants or systems
administrators, so they are already rewarded for their efforts.

"The rest of it I do because I like to," Moore said. "Researchers don't need
financial compensation to do what they do."

Many also feel that offering recompense for research will set a dangerous
ethical precedent.

"How long until someone sinister starts bidding against iDefense and decides
that they are willing to pay multiples more in order to lay their hands on
some information they deem desirable?" asked security researcher A.J.
Reznor. "This business model begs competition and the thinkers involved, the
ones doing the real exploit work, hold the all the cards and can shop around
and name their price."

As proof of potential problems in the making, Reznor pointed to alternate
pay-for-ploy systems that had been discussed at recent security conventions.

Reznor also wondered what would happen in "fringe scenarios," where an
exploit ended up in the hands of a country deemed hostile by the hacker's
nation. Would such a sale count as treason?

Illinois attorney Nadine Guessler said that such a situation would probably
not result in a charge of treason, which she said would require proof that
the person acted willfully and with intent.

"But providing sensitive information that was or could be used against the
U.S. certainly would be an extremely uncomfortable situation to become
involved in," Guessler added.

While no one is accusing iDefense of selling secrets to the enemy, some
worry that cash rewards could encourage widespread unethical behavior, such
as bug hunters partnering with company-employed programmers to purposely
plant and then "discover" flaws.

IDefense spokesman Michael Cheek said that the company will only work only
with those who ethically discover valid vulnerabilities. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
4 DVDs Free +s&p Join Now
http://us.click.yahoo.com/pt6YBB/NXiEAA/Ey.GAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT