Thursday, March 26, 2009

Reigniting the Bugs for Cash Debate

It's like one of those magic candles people place on birthday cakes that sparkle and relight themselves each time you think they've been blown out. That's how I'd define the most recent ignition of the "bugs for cash" debate.

By now you'll have probably heard that Dino Dai Zovi, Charlie Miller and Alex Sotirov have declared "No more free bugs" (Dai Zovi affirms his position and provides insight to his side of the argument over on his blog titled "No more free bugs").

It's been picked up by several of the security media channels, and Robert Lemos over at Security Focus as a good summary "
No more bugs for free, researchers say" (although I'd debate this being anything like a "new chapter"). And then, this morning, I read Dave Goldsmith's blog posting Vulnerability Research: Times They Are A-Changin.

Since I'm hardly a wall-flower and have been outspoken about the various aspects of the disclosure debate (particularly vulnerability purchase programs) for several years, I figured I'd better provide my perspective on this most recent disclosure storm.

While I respect the technical capabilities of
Dino Dai Zovi, Charlie Miller and Alex Sotirov in finding new vulnerabilities and weaponizing them in to exploits - I think there's a lot of show-boating going on, and it seems that the popular media is happy to go along for the ride.

Several people have pointed out that security researchers invest a lot of time in finding bugs and, since the "good" vulnerabilities are getting harder to find (i.e. taking more effort), they deserve to be paid for their work. I'd go along with that reasoning but for a simple fact, the software vendors haven't asked nor employed these particular researchers to find bugs in their products.

From a vendors perspective, their CEO and CFO have defined the companies operational budget and optimized their expenditure processes. Most have invested in to secure software development lifecycle programs and have included many security review and QA gates already. Most of the major vendors also employ professional (external) vulnerability research teams at the tail of the development lifecycle to "blackhat" their way to any bugs or vulnerabilities that may have been missed. Then, even having followed this process, the odd vulnerability still makes it through.

From the vendors perspective, vulnerabilities should have been caught within their existing processes. But, as someone with firsthand experience of this, each sub-process is operating within time and financial constraints. Take the third-party vulnerability researchers that consult for the vendor - they were probably contracted to provide 100 man-days of effort for $250k (plus expenses) - and may find anywhere between zero and a thousand vulnerabilities - WITHIN those time/financial limits. The vendor set those budget/time limits. If they were wrong, maybe some external (unaffiliated) security researcher will uncover a vulnerability that was missed. The vendor then needs to decide whether future investments in their security review processes are needed - and would be budgeted accordingly.

With a vendor-perspective-hat on, why should they be paying for more bugs? If it's a concern (i.e. affects customer confidence or damages the brand), they'll reprioritize their internal QA spending and increase budgets.

Vulnerability Worth
I've seen many security researchers debate the value of a vulnerability - and most are "dissatisfied" with the compensation paid by the commercial vulnerability purchase programs. As
Dave Goldsmith clearly states in his blog - "Defenders Buy Vulns, Attackers Buy Exploits" - and there's a big difference in uncovering a vulnerability and actually turning it in to an exploit.

Criminals (and Governments) pay a premium for weaponized vulnerabilities - so to compare the prices they're willing to pay for some new zero-day versus a security vendor who's focused on remediating the vulnerability is naive. And, as for these $5,000 (etc.) contests to be the first to break something - that has nothing to do with improving security, its a marketing exercise - and the researchers who participate in them are merely associating a small dollar value to their professional reputation.

Getting back to my point about a software vendors budget for assuring/improving security... What I've found is that many of the best security researchers are already contracting with, or working within, the major software vendors and helping to improve their products security. From a compensation perspective, those security researchers regularly earn anywhere between $150k to $250k per annum (plus benefits) - which is much more profitable than picking up $5k at a contest here and there.

Then there's the "Best of the best" security researchers out there. Not only are they smart enough to find the most important vulnerabilities and figure out how to exploit them, but they're also smart enough to set up there own businesses and really rake up the dollars (and get others to do the tedious research work!).

So, whats a bug worth in that context? That 100 man-day contract may yield 100 bugs - placing each bugs value at $2,500. On the other hand they may only find one bug - and that single bug is now worth $250k. Take your pick.

In my opinion "No more bugs for free", while headline grabbing, is old ground trodden over many times in the past. Routes already exist for legitimate/ethical security researchers to make a mint from the vulnerabilities they are capable of finding - if they're smart enough to understand the business.

Vulnerability showboating is for amateurs from a past age. The vulnerability research business has moved on.

No comments:

Post a Comment