Opening a new chapter in the disclosure debate, three well-known security researchers have argued against the status quo of flaw finders working with companies for free to fix commercial products.
Declaring "No More Free Bugs," researchers Dino Dai Zovi, Charlie Miller and Alex Sotirov pledged to no longer provide vulnerability research to companies whose products have a flaw unless there is a mechanism in place to compensate the bug finder for their work. Miller, a principal consultant at Independent Security Evaluators, already put the concept into practice, holding onto a vulnerability until he could use it at the Pwn2Own contest at CanSecWest, winning a new MacBook and $5,000.
The researchers were careful to dissuade others from demanding payment for research already done, as the tactic could be considered extortion.
"There just needs to be more legal and transparent options for monetizing security research," Dai Zovi wrote on his blog. "This would provide a fair market value for a researchers findings and incentivize more researchers to find and report vulnerabilities to these organizations."
The disclosure debate is more than a decade old. Initially, researchers fully disclosed the details of a vulnerability to shake up software companies and force them to handle security issues more responsibly. Microsoft, for example, learned the lesson well and now has an internal group whose entire purpose is to vet flaws found by third-party researchers and get them fixed. Many companies, however, continue to consider researchers as part of the problem, not the solution.
While Microsoft has accepted pay-for-bug programs, such as TippingPoint's Zero-Day Initiative and iDefense's Vulnerability Contributor Program, the company itself does not pay researchers for vulnerabilities but gives credit in its bulletins, if the researchers keep mum on the details until the company releases a patch for the issue. Yet, security researchers who find the right buyers — typically governments — can make more than $100,000 from a single critical flaw.
Dai Zovi argued that the current relationship between companies and researchers is both unfair to the researcher and the software developers' customers.
"Professional bug hunting is a specialized and expensive business," he wrote on his blog. "Software vendors that 'freeload' on the security research community place their customers at risk by not putting forth resources to discover vulnerabilities in and fix their products."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos