A cynic, it has been said, is someone who knows the price of everything and the value of nothing.
Last month's revelation that Tipping Point paid out a prize of $10,000 and a new laptop (MSRP: about $2000) at the CanSecWest conference, for the privilege of being the exclusive licensor of a heretofore unpublished vulnerability in Apple's Safari web browser to researcher, Charles Miller of Independent Security Evaluators, may lend some credence to this adage.
The topic of 0-day vulnerability pricing is not new. Attempts to derive a price that precisely values the exclusive knowledge of how to secretly control millions of hosts, vary in their approach, but the $10,000 bounty posted by Tipping Point resonates with many as a fair price for a remotely exploitable, admin-privilege-yielding vulnerability in a widely deployed software package. Competitors in the bug-buying space like WabiSabiLabi's auction scheme, and iDefense's VCP offer lower rewards, but provide different structured incentive packages for disclosing 0-day exploits to them.
One professional security researcher, when asked to provide an estimate said, "[The time] depends on the person and tools they know," and elaborated that the specific circumstances around the vulnerability change the amount of effort, replying "[For him it] can be anywhere from a few minutes for an ActiveX vulnerability to a couple of days for a system vulnerability." Based on his personal consulting rates, his estimate agrees with the figure of the Tipping Point prize, quoting, "probably under $10,000".
Some arithmetic and a simple cost-benefit analysis, however, suggests that researchers may be vastly underbidding buyers. Given the cost of cleaning up after a worm, and even a fraction of the exaggerated damages some companies claim in computer crime cases, a bounty of $10,000 is a song.
If you are a twenty-something computer-science student in a former Soviet state and your prospects for gainful employment are limited to running DDoS botnets for extorting casinos and porn sites, sure, $10,000 is a tidy sum. But from the perspective of a potential victim of a worm infestation, this bug finder's fee wouldn't cover the premium of an insurance policy against the damage from a 0-day worm.
A useful treatment of what vulnerabilities can be worth has been written by the same researcher who won the CanSecWest competition, Charlie Miller. In his paper, The Legitimate Vulnerability Market: Inside the Secretive World of 0-Day Exploit Sales, he demonstrates how a buyer associated with a government agency (presumably American) paid $50,000 for an exploit for a vulnerability in an unspecified Linux daemon back in 2005.
A source I spoke with close to the Tipping Point ZDI program indicated that the vast majority of bugs the program receives are cross-site scripting and SQL injection attacks against "dinky web applications," such as bulletin boards, counters and blogging tools, and while paying for these relatively "crappy" bugs is a loss, buying only a few really good 0-day bugs at $10,000 justifies paying for the less serious ones.
There are a few factors, however, that the prices paid by Mr. Miller's spooky government customers, and the existing vulnerability buying programs, do not seem to take into account
The first appears when one considers what it would cost for a given organization to do the research to find 0-day themselves, and the opportunity cost of assigning the resources to the task, even $50,000 is low. Let's even assume that a government hires a consultant with successful, first-hand vulnerability development experience and we can play with some ball-park figures.
Security consultants of a Big-5 consulting firm bill about $1200 a day for a junior consultant, and $2500 a day for a senior one. According Charles Miller, the winner of the Pwn2Own challenge at CanSecWest, it took three weeks to find and develop an exploit for the Safari browser. So, consider that 15 days security consulting at the Big-5 rate costs between $18,000 and $37,500 and compare it to Miller's $12,000 gross win. In this case, that is a pretty hefty agency fee. Not that there is anything wrong with that, but it does suggest exploit writers may not be the only ones doing the exploiting.
The sources I spoke with also indicated that the bar is much higher for bug finders now than it was 5 years ago. A working understanding of reverse engineering, assembly languages, stack protection schemes and memory management is necessary to find serious vulnerabilities in most software. However the sources acknowledged that ready-made shell code from projects like Metasploit does not raise the bar to an unreachable level.
These liberal estimates of consulting time assume that hackers of the calibre to develop 0-day on-order are available to a government. Sure there are a few good hackers out there relative to the number of security professionals, but demand for them from cash-hemorrhaging security start-ups precludes most good hackers from entering public service.
Even the clumsy, rudimentary risk pricing using Annualized Loss Expectancy (ALE) that estimates the projected cost of recovery using the number of likely occurrences makes worm defense worth hundreds of thousands of dollars for a bank, hospital or large enterprise. When the costs of recovery projected by risk models for IT security are compared with the amounts being paid for 0-day vulnerabilities, there is a big scary gap that shows one of the following:
- according to the market prices for 0-day exploits, the security risk from 0-day vulnerabilities is vastly overestimated,
- according to IT risk models, vulnerabilities are completely underpriced, or
- most 0-day developers lack basic negotiation skills.
The turnaround on the winning Pwn2Own exploit was a few weeks by a very experienced creator and, anecdotally, since the average security consultant doesn't even code, it would take one significantly longer than three weeks to find and develop a working 0-day exploit.
Maybe the middle ground in all of this, however improbable, is for exploit writers to exchange 0-day exploits for a royalty agreement for each IDS installation that used a signature for their exploit. The business of security companies is to package and pass along costs to customers with a premium, and a royalty program would improve the incentives, and in turn the quality of development done by lone hackers.
Somehow, the cost-benefit equation has to be rewritten to better favor the legitimate, yet difficult, work of security researchers. Because, in spite of all the vendor-hacker goodwill that 0-day purchasing schemes have been designed to promote, something isn't adding up.
But perhaps I am just a cynic.