Software bug researchers hunt green

Share this article:
Dan Kaplan, executive editor, SC Magazine
Dan Kaplan, executive editor, SC Magazine

Three independent vulnerability researchers have a message for the software industry: Show us the money.

Dino Dai Zovi, Alex Sotirov and Charlie Miller first announced their new meme in March at the CanSecWest hacker conference. During one of Miller's talks, Dai Zovi and Sotirov held up a hastily made cardboard sign. It declared: “NO MORE FREE BUGS.”

The moment may have been impromptu, but the sentiment had been building for years. Some researchers believe they are getting the shaft from software developers, such as Microsoft, who don't pay the flaw finders.

Responsible bug hunters have two avenues from which to choose: Provide the information for free to the affected vendor – which typically will credit the researcher in a vulnerability announcement – or sell to a bug bounty program, such as those from TippingPoint or iDefense.

Neither option is particularly attractive, especially one that only offers a thank-you, Dai Zovi said. Bounty programs, meanwhile, can choose which flaws they want and, with few competitors, can pay smaller fees.

“Vendors have been getting a freebie for a while,” Dai Zovi said. “[But] why would I want to sit down and volunteer to find a bug in someone's browser when it's a nice, sunny day outside?”

If software vendors were forced to pay, they would be more incentivized to build software free of bugs before it is shipped, he said. And it would help keep exploits out of the hands of a black-market buyer.

The vendor mindset needs to change, Michael Sutton, VP of security research at Zscaler, said. “We're still treating it as though researchers have a moral obligation to hand over vulnerabilities. We live in a free market and valuable information won't remain free.”

But Gunter Ollmann, VP of research at Damballa, said companies already are investing plenty in finding vulnerabilities, which often includes hiring consultants.

“If the name of the game is making money – and for most of the research people I know it is – then the way to make real money is to sell your services by the hour or by the day, but not by the bug,” said Ollmann, who knows some white hats earning up to $300,000 a year this way.

Christopher Budd, security response communications lead for Microsoft, said the company stands by its policy.
“Many times [an] acknowledgement can help drive customers to a particular researcher's site, which can result in a positive public perception for that researcher and even potentially increased business.” – Dan Kaplan

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.