iDefense Underbids on Vista Vulnerabilities

Dave G. | January 10th, 2007 | Filed Under: Industry Punditry

According to Ryan Naraine, iDefense is offering 8,000$USD (plus 2000-4000$ for a working exploit) for a remote code execution vulnerability in either IE7 or Vista. From Ryan’s article:

The launch of the latest hacking challenge comes less than a month after researchers at Trend Micro discovered Vista flaws being hawked on underground sites at $50,000 a pop and illustrates the growth of the market for information on software vulnerabilities.

So, let’s assume that someone can actually get 50,000$ for a Vista vulnerability. Or lets halve it. $25,000. If you are a researcher who is capable of finding Vista/IE7 bugs (maybe I am underestimating how easy it will be to find remotes), and you were inclined to sell vulnerabilities, are you really going to give iDefense a 50%+ discount? I suspect if you do, it is because you don’t have anyone else who is willing to buy it from you.

Even more interesting than that is the fact that they had a bounty of 10,000$USD for IM applications, Databases, and even Microsoft technologies. My questions:

  • Why is their sense of value in a vulnerability decreasing? Is it an anticipation of many vulnerabilities? Is it a budgetary/business model change? Is it that there are only two openly public places to sell vulnerabilities to?
  • Is this a statement on the value of vulnerabilities found in IM clients vs. Vista/IE7?
  • What are they doing with the reliable exploits you are selling to them?

This is less paranoia and more curiosity…

Viewing 19 Comments

    • ^
    • v
    What we need is a bug/payment escrow service. I hand you the working 0-day, you verify it in a private lab, find buyers, and take the money from the highest bidder. Don't tell me who it is. You take a 10% cut and pay me.

    This would be awesome because the market would find a natural equilibrium between losses due to phishing and banks' willingness to pay to protect their customers, for example. Or maybe some vendor thinks their rep is worth more than $8k. Everyone wins!
    • ^
    • v
    How would that market value willingness to disclose and credit the researcher?
    • ^
    • v
    If I'm getting 10-50k for a vuln, who cares if someone knows I wrote it or not?
    • ^
    • v
    Of course, iDefense is also asserting a claim to exclusivity and some ownership of your intellectual property. Maybe on the open market, exclusivity is more negotiable and you can make the rounds with your exploit to multiple buyers. Bidding is a possibility on the open market as well, iDefense is setting the price and low-balling at that so maybe there's better connected sellers with better exploits that iDefense can't even engage at their prices?
    • ^
    • v
    0bay - New & used exploits, remotes, locals, vulnerability goods & more at low prices.

    Maybe the idea isn't that bizarre.
    • ^
    • v
    Mike, if it takes you 3 weeks to find and refine a vulnerability, 15k is probably a breakeven point.
    • ^
    • v
    Thus Dr. Ptacek has revealed his salary to be 260k a year ;) Lucky him!
    • ^
    • v
    I'm not a doctor (one semester at UIC, total), and $1k/day is on the low side of reasonable (as a 1040 bill rate) for the kind of person who can routinely produce Vista remotes.
    • ^
    • v
    Mr. Dole:
    Good security folks aren't cheap, and larger orgs will have management overhead (and things like health insurance, office space, equipment, LEGAL), and finding a vulnerability can also have an opportunity cost (if the person isn't a dedicated vulnerability researcher).

    Tom:
    you aren't a doctor? why have i been getting medical advice from you? next someone is going to tell me that this isn't the real bob dole!
    • ^
    • v
    Buy an expploit, sit on it for a while, disctribute the knowledge through a service for your clients, show them your value, risk the rest...

    Dr. Dave and I used to work for such a comapny...
    • ^
    • v
    I see it as guaranteed cash flow, versus selling an exploit online to who knows who. Trend Micro may have seen exploits going for $50k, but it wasn't confirmed and nobody knows if that's what the exploit actually went for.

    I'll compare selling exploits on IRC/iDefense, to winning the lottery. You have two choices:
    1) a guaranteed lump sum (with a paycut) or
    2) paid over an undetermined time period in X installments.
    Who knows what will happen in the future, and I don't exactly trust `v1ru$buy3r` on IRC to pay me.

    Also, in my opinion, exploits decrease in value the longer they are 'known.' This gives the vendors time (through luck) or other methods to identify and patch that vulnerability.
    • ^
    • v
    Tom, the (sarcastic) idea has nothing to do with disclosure and researcher credit. It would probably create the opposite of what we have now (some disclosure, some credit). I'm trying to make a point that whatever the reasons for security QA, they're not 100% economic because the price offered for 0-day is so low (as you point out).

    There are 2 extremes that security QA swings between: 100% economic and 100% free/ego-based. The former is what you'd have if somehow there was a corporate monopoly on security QA. The latter is what you'd have if the early warez scene mentality somehow dominated. Of course, neither extreme is feasible -- there's always someone to whom credit matters more than any amount of money or someone who wants to sell warez no matter the peer pressure not to.

    My point is: given that continuum, it's obvious each person involved in security QA makes their own decision where they want to stand. And people change over time as their motives change (e.g., "selling out"). It's pointless to sit and argue about what's the 'right' way since people have different motivations.

    However, if everyone could see the ending price for vulnerability auctions, it would give a clearer view of the value researchers who do it for free are giving the world.
    • ^
    • v
    What are they doing with the vulnerabilities you sell them:

    One or more of:

    Selling the information on at a profit probably to multiple clients

    Breaking into systems for money

    Generating publicity (iDefense)

    They certainly aren't providing the information to a vendor at a $10k+ price point unless their real motive is publicity
    • ^
    • v
    Bear in mind also that in the grey market you're not restricted to selling to just one party.
    • ^
    • v
    Another point to make: No one guaranties the so-called 0-day is really is 0-day. The seller could have used it before, or sold it before, and still the knowledge of the existence of this vulnerability/exploit is not widely known.
    • ^
    • v
    I'm not so sure about the 50k price tag myself. The underground market would see far more ROI for a remote exploit given the common uses of botnets, phishing, etc however Vista isn't very widely deployed. One could claim that Vista exploits have a higher cross platform potential on older MS operating systems. An IE7 exploit would be profitable given the uptick in iframe exploits I've seen in the last few months. Turning vulnerabilities into dollars isn't that difficult for the criminally minded.

    Someone like Tipping Point can say to their clients, "Here is some vaccine[tm] to protect you against 0day attacks. While MS takes the time to craft a patch you will not be affected by this vulnerability." This has less economic value overall but still more then iDefense who simply assumes the role of advisor. Public and legal entities can't make back the same kind of money right away and with something like publicity the earnings are "soft" and more difficult to calculate.

    This is all speculation though and I'd be interested in hearing what people here think are criteria for pricing.
    • ^
    • v
    "If you are a researcher who is capable of finding Vista/IE7 bugs (maybe I am underestimating how easy it will be to find remotes), and you were inclined to sell vulnerabilities, are you really going to give iDefense a 50%+ discount? I suspect if you do, it is because you don’t have anyone else who is willing to buy it from you."

    Not neccesarily. Im sure many researchers sell to iDefense because they know the vulnerability is going to a legitimate party and wont be used for malicious purposes. And if they can profit off of that then great. Selling to someone willing offer $25,000+ probably means that buyer can make more then that off of your work. If Versign/Idefense cant justify paying that much, then who are you selling to who can? What will they be using it for? Its not worth the risk. I have never personally sold a vulnerability, probably never will. But I only see two reputable vulnerability buyers in the market these days, iDefense and 3com. Dont sell your work to just anyone, you never know the kind of damage you may be creating. Just my opinion.
    • ^
    • v
    "...Im sure many researchers sell to iDefense because they know the vulnerability is going to a legitimate party and wont be used for malicious purposes."

    And how do they know? iDefense and 3Com do background checks on their customers to decide if they are eligible to receive 0day information? What's the criteria? What prevents organized crime from setting up a front company, a facade, to buy 0days from them? What prevents 'malicious' users at their customer's organizations from using the legitimately acquired 0day for evil purposes? Or are you so naive to think that the 'bad guys' are unemployed, self-employed or 'employees' of organized crime only? My point?
    The sellers are not the sole participants of the grey market, its very likely that there are 'grey' buyers as well.
    • ^
    • v
    One explanation of the imbalance might be the idea that you can sell an exploit/vuln to iDefense for $8k and not have your family kidnapped until you find another for the Russian mob....

    It's the Hurley Theory of Embezzlement - if you are going to do something illegal for money, make sure you get enough on the first try to retire and disappear forever...

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus