Laziness Of A Blogger At Midnight

Dave G. | July 11th, 2007 | Filed Under: Industry Punditry

Mike Murray riffed off of my post on WabiSabiLabi. He talks about how if you can buy a vulnerability cheap enough, you wouldn’t bother researching the vulnerability, because it is likely to cost more to find it yourself.

Which is a valid point. However, my post was less about whether or not it is worth the money and more about the fact that by posting the description of (somewhere between some and many) vulnerabilities, you lower the value of the vulnerability. For example, someone bid on the vulnerability mentioned in my post “Squirrelmail GPG Plugin Command Execution”.

In the comments of that post, Stefan Esser and others found several potential vulnerabilities. Maybe one of the ones mentioned is the bug in question. According to the website, two people have already bid on it. When they bid, it might have been worth the money. At this point, they might have bought a vulnerability that is patched in the latest version and is publicly known about. If that is the case, they might have made a different purchasing decision if they had the knowledge that this vulnerability would be discovered and fixed prior to the release (*).

Presumably only one person is going to be able to buy a given vulnerability. If multiple people bid, the loser may just decide that it is worth finding. And depending on if they can find it quick enough, the value of that vulnerability could go down significantly (even to zero), for the entity who purchased it.

(*) Who is to say that the vulnerability for sale is the one of the vulnerabilities identified by our readers.

Viewing 5 Comments

    • ^
    • v
    "(*) Who is to say that the vulnerability for sale is the one of the vulnerabilities identified by our readers."

    In my opinion it does not matter whether the exact vulnerability being sold was found or not, just that a vulnerability was found.

    For most people whether their intentions are good or bad as long as they have one way to exploit an application reliably then this is all they need.

    As Stefan pointed out, the easy "require()" bugs are patched, but the application is riddled with bugs where the user can control calls to exec. What more do you need? I think any unpatched bug ( or many bugs in this case ) in an application makes buying a random one for it worthless.
    • ^
    • v
    When I saw this I thought, "Woohoo, now we can contribute a bunch of crappy modules to open source projects, then auction off vulnerabilities in them."

    This probably won't happen, as the stakes are far too low. An exploit auction is certainly a provocative idea. Whether it has an economic impact on exploit development remains unclear.
    • ^
    • v
    Have to say, I was just being a pain. I understood the point, but there was another facet that I wanted to expound upon.

    Taking this point to its extreme, the interesting question would be around the economics of the auction itself - as you point out, it's possible that the value of the product radically changes during the auction.

    This isn't a problem that eBay has.
    • ^
    • v
    @Mike

    There is one area where I disagree with your post. There are plenty of researchers and affected code bases that have an excess of time and lack of funds. For example, open source projects aren't going to pay 700 Euro's for a defect in their code.
    • ^
    • v
    I imagine there are better ways to use economics and markets to improve code quality. For example, a prediction market on wagers such as "there will be a remotely exploitable vulnerability in Internet Explorer in October 2007." People who are intimately familiar with the code quality could make money by using their knowledge to set the right price. People who research vulnerabilities in IE can "game" the system by releasing bugs and collecting payoffs. These insider trades are actually good because in the long run they feret out bugs and give a realistic assessment of the security of a system (if shares are priced between $0 and $1, they will approach the probability of a bug being found). Win Win! And no need to sell vulns in private.

    (Oh yah, if you happen to be a heavy user of a technology, you can buy shares as a hedge against damages when vulns are released...)

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus