More on (moron?) Vulnerability Research Business Models

Dave G. | November 9th, 2007 | Filed Under: Industry Punditry

In a comment on my last post, cmlh writes:

@Dave G,

Based on the failing (due to agenda) of (particular) Researchers, Coordinators (i.e. FIRST Members) and Vendors - Which “trusted person or organization” is left “that can represent vulnerability researchers whose reputation is at stake when dealing with vendors.”?

In a word, there are plenty individuals that could fulfill this role. What I was really trying to say is that rather than the auction model, maybe the way to make this all work is to go for more of the agent model, like for screenwriters or novelists. While no one likes agents, the fact is they play an important role. They are responsible to both parties. When they fail, they lose customers fast. And there aren’t enough people around buying vulnerabilities that you can afford to lose customers. Also, it all happens in private, which reduces risk. Finally, everyone involved can be contractually bound. Who knows, maybe one day this will take off and there will be a vulnerability researchers strike!

BTW, If this was a lay-up question where I was supposed to say Matasano, thanks, but no thanks. Spitballing about vulnerability markets is fun, but that’s where it ends.

Viewing 11 Comments

    • ^
    • v
    God, why does this remind me the "Security Researcher Guild" idea that was tossed around (and imploded in a massive flamefest IIRC) back in February of 2006. If there were enough consensus among "independent security researchers" (fat chance) and a real need (meaning the said parties & processes were really as broken as advocates of this make this out to be and if the situation was really as dire) then folks would be paying monthly dues and putting "UNION Proud" on their white corporate MacBooks.
    • ^
    • v
    Security is a non-market something, more than a process, more than an art, its a way of life, an arms race. Grr.
    Real security takes inside people. Contracting to outsiders, while needed, is your standard complex client server model problem. A business where the client and server play to sell each other out to trust each other? Whatever, money is a powerful gaming force, look at M$.
    Money helps, iDefence pays squat, and one gets listed, in todays legal world, that might suck. Hack the system, take home cash and/or box, put up a physical store, etc...Otherwise, auctions are lame.
    But then, who wants to be involved in a dandylion farm, next to an exclusive golf club?
    Security is not a fun world, unless you have an odd sense of fun.
    • ^
    • v
    @Dave G,

    Related to your last paragraph of the Post, the following is quoted from http://www.washingtonpost.com/wp-dyn/content/ar...


    Software vulnerability researcher Dino Dai Zovi said he's excited about the vulnerability auction service and its prospects for rewarding researchers with better prices.

    "I can see this service creating much more incentives for researchers to find flaws," Dai Zovi said. "Not everyone is willing to spend 20 to 40 hours looking for vulnerabilities in [Microsoft Windows] software just to receive a little 'thank you' note in Microsoft's security advisories."

    Dai Zovi said he has never sold a vulnerability, although he recently won a $10,000 bounty in an impromptu research challenge at a hacker conference in Canada. At the suggestion of conference organizers, TippingPoint offered the reward to anyone who could find a previously unknown flaw that would allow an attacker to break into a fully protected MacBook laptop computer from Apple. A few hours into the challenge, Dai Zovi found a vulnerability in QuickTime, the media player software loaded on all Apple computers as well as many Microsoft Windows machines worldwide.
    • ^
    • v
    @cmlh,

    I am assuming, correct me if I am wrong, that you are suggesting that Matasano does more than opine about vulnerability markets in this blog. If so, I would have to humbly correct you and point out that I participated in the cansecwest contest roughly 6 months after I had left Matasano to pursue other opportunities. So, that was done as Dino, private citizen who wanted to make a point about the then-current state of mac security.

    As for WSL, the things that I talked to Brian Krebs about that didn't make the article were my thoughts on how the pricing of bugs in vulnerability auctions could provide useful information on the security of a piece of software. I.e. price is related to scarcity of vulnerabilities (unknowable to the average IT sec manager) and prevalence of the software (easier to ascertain). Thus, a transparent vulnerability market would give users signals as to the level of implementation security of an application. My point was that a transparent market could set the "true price" of a vulnerability (not just better prices, but that is where I suspect they would be).

    In addition, more incentive to find and transparently reveal the existence of vulnerabilities would cause more of them to be fixed (assuming the vulns were in anything of value). This in turn drives vendors to strive to ship with less vulnerabilities, resulting in better security for everyone. Lurking undisclosed vulnerabilities in your infrastructure and the race to patch disclosed vulnerabilities are not signs of us having truly secure systems, they show how most of our practices in software security are just damage control. This was the other line of reasoning that was not included in the article.
    • ^
    • v
    As usual, the passion play over vulnerability research and disclosure features, in the minds of the researchers, only two actors: the researchers themselves and the vendors. What about the third actor in the mix? (And no, I don't mean anybody who could be plotted on the Matasano PunditCon...)

    The third party that's being forgotten here is customers. They are, perhaps, the only parties who have the financial heft to counterbalance the vendors. For example, I know a Fortune 10 company that spends $50 million a year with Microsoft. Think they, or a collection similar customers, might be interested in seeing vulnerabilities fixed? How about the gub'mint or one of the agencies, from the buyers perspective?
    • ^
    • v
    @Andy:

    The customer wasn't forgotten here. The were intentionally removed by me (for better or for worse)

    One of my biggest objections to the auction model is that I don't want a third party who is not obligated to report the vulnerability to the vendor to purchase a vulnerability. That includes governments. (Note to peanut gallery: I am aware that governments already purchase vulnerabilities)
    • ^
    • v
    The only way security researchers can have a decent pay is to sell to the governments and to do hacking contests. I think it's the sad result of responsibility transfer most vendors have with there customers.
    • ^
    • v
    Not that it necessarily invalidates your idea, but it's worth considering how the agent model works differently with vulnerability information vs. other work products.

    The difference, really, is like that between two different schools of photographer - one who photographs wealthy people in extramarital endeavours, and another who photographs otters.

    In the first instance, there is a significant edge of blackmail - would you like to buy the negatives so you can burn them? If the photographer (or his agent) double-sells the negatives to the subject of the picture and then to a newspaper, the first sale is worth pretty much nothing (at least the buyer knows what the paper has on him and won't be entirely flatfooted), and the second one is barely reduced in value at all.

    Doing this enough times for it to become known might affect the photographer's ability to sell to the wealthy victims, but probably not his ability to sell to the papers.

    In the second instance, a double sale reduces the value of each purchaser's goods in roughly the same proportion for each buyer. Once caught, the photographer's ability to sell his pictures at all is severely diminished (at least, no one will be willing to pay extra for exclusivity).

    So, if your researcher can make more money by the second sale (I have no idea whether that's the case), then losing the first sale isn't much of a risk - he keeps the meat and risks only the gravy.
    • ^
    • v
    Vulnerability research is research of someone else's intellectual property. The ideal model for gaining from this kind of research is not a marketplace. The way that vulnerability researchers should be compensated is that software vendors should hire them directly to work on their products as part of their QA life-cycle.

    To pretend that there's any legitimacy to a market where vulnerabilities are found and sold independent of the vendors and their customers is naive. Selling vulnerabilities this way is irresponsible and serves to further criminal gains. Unfortunately, it's becoming the reality of a world where many vendors don't wish to take responsibility for the security of their customers and would rather punish researchers than collaborate with them.
    • ^
    • v
    @PaulM:

    You assume vendors have interests which are aligned completely with their customers'.

    Further, you assume that the consequences of a vuln in a vendor's product fall exclusively on the vendor and the vendor's customers.

    The first assumption is debatable. The second is false.

    An academic treatment of the question of how different disclosure regimes can effect social welfare can be found at http://infosecon.net/workshop/pdf/9.pdf

    This can give you a sense of the kind of thing I am talking about. As a bonus, it happens to support your argument. However, it doesn't model the impact of disclosure choices on third parties (non-customer, non-shareholders). Another paper which speaks to this overall question can be found at http://www.dtc.umn.edu/weis2004/weis-xu.pdf, but again it only models firms, customers, and hackers.

    My point in citing the works above is simply to suggest that the questions of which patching policy and which disclosure policy is best,
    and whether "the world would be better off" if "independent security researchers" didn't publish exploits are complicated, although both the
    2600-style and corporate monolith orthodoxies like to claim that they aren't.
    • ^
    • v
    "Who knows, maybe one day this will take off and there will be a vulnerability researchers strike!" - for that one should first have a real job, and not just working for yourself (or self-promotion). ;)

    I tried to post this link earlier, but it was probably regarded as spam as there was almost no text related to it. Here it is again:

    http://www.ee.oulu.fi/research/ouspg/sage/discl...

    For those who are interested, OUSPG is one of the academic research groups who have been studying various disclosure models since they started in 1996. They have collected all interesting articles in one place, to make research in this field a bit easier. Please let them know if they have missed something!

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus