The value of vulnerabilities
Jason Miller, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn’t exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Where do vulnerabilities come from? [..]
The value in vulnerabilities [..]
The ethics of vulnerabilities [..]
Why we need responsible, public disclosure [..]
A couple days ago, “fearwall” created an eBay listing for a “Brand new Microsoft Excel Vulnerability”. I have mirrored a screenshot in case the listing is removed, which I expect it to be. One has to wonder if companies like iDefense or Tipping Point will bid, since they (and others) purchase vulnerabilities. Full text of the auction:
The lot: One 0-day Microsoft Excel Vulnerability
Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).
A percentage of this sale will be contributed to various open-source projects.
Vulnerability De ion (read carefully, this is what you bid on).
Microsoft Excel does not perform sufficient data validation when parsing document files. As a result, it is possible to pass a large counter value to msvcrt.memmove() function which causes critical memory regions to be overwritten, including the stack space. The vulnerability can be exploited to compromise a user’s PC. It is feasible to manipulate the data in the document file to get a code of attacker’s choice executed when malicious file is opened by MS Excel. The exploit code is not included in the auction. You must have very advanced skills if you want to further research this vulnerability.
What will be delivered (at no extra charge):
The winning bidder must provide an e-mail address that accepts .xls attachments. Two xls files will be mailed to this e-mail address: one file is the original Microsoft Excel document, the other one is a copy of the same document modified to demonstrate the vulnerability. The demonstration merely triggers the exception causing Excel to crash. It does not do anything malicious. A detailed de ion of the vulnerability will be provided in the message body. At that time you can claim youself to be THE ONLY ONE IN THE WORLD possessing the knowledge about the vulnerability. Wow! Imagine that! (Well, not counting Microsoft, but I really doubt that they’ll share it with anyone.) It is up to you what to do with it, but you may not use it for malicious purposes – see terms and conditions below.
Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.
Terms and conditions of the sale:
Your bid indicates that you agree to the following:
1. You may not use this information for malicious or illegal purposes. The information you receive is for educational and
research purposes only.
2. The seller reserves the right to refuse delivery to anyone (a full refund will be issued).
3. The seller will accept no responsibility for anything you do with this information.
4. The seller cannot be held liable under any circumstances.
5. Absolutely no refunds will be provided except for the reason mentioned above.
1. All trademarks are the property of their respective owners.
2. No proprietary software products were decompiled or reverse engineered.
3. All information advertised here was used and is to be used to promote the importance and advance the knowlegde in the field of the information security.
4. The seller does not encourage any illegal activity.
Even if this one is a joke, what is to stop this model of vulnerability selling and disclosure from occurring more often in the future? As MadSaxon joked about over two years ago, registering a 0-bay domain might be a fun business to start.
Several years ago, iDefense started purchasing vulnerabilities from freelance researchers, and created its Vulnerability Contributor Program. Find a vulnerability, disclose it to iDefense under mutual NDA, and they would act as a mediator between you and the vendor for disclosure. After a patch was available, iDefense releases an advisory and pays you. Ignoring the fact that they would sit on the information for up to a year before disclosing it to the vendor, this program rewarded people for finding and disclosing vulnerabilities.
Months back, David Endler left iDefense to join Tipping Point, a division of 3Com. Shortly after, TP announced its “zero day initiative”. Like iDefense, the ZDI would pay for vulnerabilities, but also created a ‘loyalty’ program for continuing to disclose vulnerabilties through them (wonder if they give out keychain thingies like my grocery store does?).
Now, Digital Armaments is also offering a “pay for vuln” program. Instead of just offering cash for 0-day, they also offer trade-in credit so you can receive other 0-day in return for your own. This deviates off the path of “responsible disclosure” (questionable under the other two models) quite a bit.
There have been several Vulnerability Sharing Clubs (VSC) in the past including iDefense, Immunity and others. For those who question this business model, consider Verisign just purchased iDefense for US $40 million. Still not a believer? Consider 3Com/TippingPoint is now offering a new VSC called the Zero Day Initiative. Now instead of just selling an exploit for cash, you can earn points and trade them in for cash and prizes! Since this new program is being lead by David Endler, who was an early participant in the creation of the iDefense VSC, this business model appears to be very sound (for the time being). In response, iDefense/Verisign has announce that not only is it continuing their program, it is beefing it up and offering more money for the 0-day. For the skeptics out there, you are not alone. Frank Knobbe wrote a really good response to the 3Com/TP announcement, questioning the nature of the vulnerabilities that would be shared. I tend to agree with many points of this.
Other random thoughts:
- VSCs typically receive a 0-day vulnerability, share the info with their clients, then disclose the vuln to the vendor, give them all the time they want for a patch and eventually publish the information (presumably when it has little/no value). Verisign may now give iDefense a better opportunity to know when the 0-day is worthless via its customer networks they monitor. Once they see the vulnerability in the wild, they know it isn’t 0-day and the value drops.
- With the above model in mind, we now know the Verisign doesn’t care about the ethical dilemma of having 0-day vulnerability information, and not immediately disclosing it to the vendor. Even if they do share with the vendor immediately, they also share this information with clients who can leak the information out to other people.
- With the above model in mind, we know that 3com/TippingPoint also doesn’t care about the ethical dilemma.
- Is this the start of a trend regarding vulnerabilities, disclosure and the bottom line?
- Will this be the precursor to half a dozen other companies offering similar programs?
- If there are a dozen VSCs like this, are the vendors expected to pay for the information to receive it before the VSC decides to “responsibly disclose” said information to the vendor? (Remember, the vuln info usually stays in the hands of the VSC and it’s clients for months before vendor notification)
Economic Analysis of Incentives to Disclose Software Vulnerabilities
by Dmitri Nizovtsev and Marie Thursby
This paper addresses the ongoing debate about the practice of disclosing information about software vulnerabilities through an open public forum. Using game-theoretic approach, we show that such practice may be an equilibrium strategy in a game played by rational loss-minimizing agents. We find that under certain parameters public disclosure of vulnerabilities is desirable from the social welfare standpoint. The presence of an opportunity to disclose allows individual software users to reduce their expected loss from attacks and by doing so improves social welfare. We analyze the effect of several product characteristics and the composition of the pool of software users on the decisions to disclose and on social welfare and compare several public policy alternatives in terms of their efficacy in reducing the overall social welfare loss from attacks. Our results suggest that designing an incentive system that would induce vendors to release fixes sooner and improve the quality of their products should be among the priorities for any policymaking agency concerned with information security. Doing so would reduce individual incentives to disclose vulnerabilities, thus further reducing the potential damage from any given vulnerability.
Our preliminary analysis of information-sharing coalitions suggests that such entities have a positive effect only under a fairly restrictive set of conditions.