Start-up reignites bug-disclosure debate
Published: 03 Aug 2007 15:48 BST
she came across similar situations about a dozen times during her stint at the software giant between 2000 to 2005.
"Most major vendors, including Microsoft, have strong corporate values and will not pay for vulnerabilities," Forslof said. "So, making that threat to pay me, or I'll harm your customers, is basically like extortion to them."
DeMott, however, said his company has had some success with its business model.
Over the past four months, the company has seen roughly half of potential customers agree to pay the bug bounty fee, and the other half reject the idea outright. And, in one case, a company declined to pay the bug fee but then signed up for VDA's consulting services. To date, two companies have purchased the vulnerabilities that VDA discovered and patched them, DeMott said.
But Ullrich described such customers as "paying for protection".
"There are people who pay protection to the mob. It's really a protection racket," Ullrich said. "I can't see it as a legitimate business model."
Other business models
Bug bounty hunters have a variety of means to generate income, security researchers say.
Auction site WabiSabiLabi, where software companies and security vendors bid on such discoveries, emerged on the scene recently, amid some controversy that the buyers of the vulnerabilities may be malicious attackers.
Since the Switzerland-based site was announced on 9 July, approximately 20 vulnerabilities have been posted for auction, ranging in price from 200 to 2,600 euros (£134 to £1,750), Roberto Preatoni, WabiSabiLabi's strategic director, said in an email.
"You should take into account that this market just started. Therefore, we think it's needed to wait at least six months before seeing real values being expressed in it," Preatoni said.
Three vulnerabilities have been sold on the auction site, while six more are currently on the market as their auction time ticks down.
Sentry Posts Blog
Guarding the network
What you need to know and what you and your peers have to tell us about security management in our new community group blog
Other compensation methods for bug hunters have included landing lucrative contracts with software vendors to debug their products, and participating in ongoing, formal bug-reporting programmes offered by TippingPoint, iDefense and the Mozilla Foundation.:
Back in 2005, TippingPoint launched its Zero Day Initiative programme. The programme pays money to security researchers for bugs and proof-of-concept code, or working exploits they discover.
Based on the severity of the vulnerabilities and extent to which they are distributed, TippingPoint will pay researchers on a sliding scale. Forslof noted TippingPoint generally pays more if a researcher has taken the extra effort to develop proof-of-concept code.
"Based on the amount of money [DeMott] wanted for the bug and working exploit, it would have been in line with what we would have offered," Forslof said. "The amount of money he was asking for was not out of line it's just the way he went about asking for it from LinkedIn."
Once TippingPoint buys bugs and exploits from security researchers, it then validates the information before passing it on to the software vendor for free. TippingPoint then writes filters for its intrusion-prevention devices based on the information it has validated from the bug hunter.
iDefense, which operates the iDefense Vulnerability Contributor Program (VCP), has a similar concept. The main difference is iDefense, after validating the information and notifying the software vendor for free, uses the information to notify its own client base and build workarounds until the vendor develops a patch.
"The VCP provides researchers with ways to get legally paid for the research they do," Doyle said. He noted the payments can vary from a couple of hundred dollars to as much as $10,000 (£4,914).
DeMott said VDA is not wedded to its business model and may be open to tweaking it.
"If this business model is not panning out the way we had hoped, then we may focus on government or commercial contracts," DeMott said. "I certainly won't turn down a contract."
Previous
Did you find this article useful?
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
