Digg this story   Add to del.icio.us  
Hacking contest highlights value of vulnerabilities
Robert Lemos, SecurityFocus 2008-03-25

Security professionals that take part in an annual hacking contest will have more reasons to part with their latest vulnerabilities: Up to 20,000 more reasons.

On Monday, security firm Tipping Point agreed to offer up to $20,000 as a prize to the first person to compromise each of three laptops running popular operating systems in the second annual PWN2OWN Competition at the CanSecWest conference, which takes place in Vancouver this week. The boost in the bounties came after researchers criticized the company for the more modest prizes announced last week. The first person to compromise any of three laptop computers -- running the latest versions of Apple's Mac OS X, Microsoft Windows Vista and Ubuntu Linux -- will receive the prize money and the laptop.

"Based on the current feedback, we've agreed to keep this contest a 'best of the best' showdown, and therefore only one cash prize will be offered per machine," Terri Forslof, manager of security response for TippingPoint, said in the company's blog post revising the rules. "Our original goal in offering the chance for multiple persons to compete for cash prizes -- even after the boxes were pwned -- was to create more opportunity and fairness to the contestants and alleviate issues of timing around who gets to go first."

"Pwn" -- security slang for compromising, or owning, a computer system -- is pronounced like the "pon" in pony.

This year's PWN2OWN competition will be the second time that TippingPoint has ponied up prize money for the vulnerabilities used to win the contest. Last year, when the contest offered up two MacBooks as targets, researchers Shane Macaulay and Dino Dai Zovi teamed up to use a vulnerability in the way QuickTime handles Java to compromise one of the machines. Macaulay kept the MacBook, and Dai Zovi eventually received a $10,000 prize from TippingPoint for the vulnerability.

This year, TippingPoint originally offered $10,000 for any vulnerability that could be used to remotely exploit a system without any user interaction and $5,000 for a software bug that requires some user interaction, such as clicking on a link or opening an e-mail message. Under those rules, Macaulay and Dai Zovi would only have received the lesser amount this year.

In an e-mail exchange, Macaulay argued that many researchers would be unlikely to participate in the contest at that level, considering that private buyers -- typically government agencies -- would likely offer ten times the amount.

"If anybody has an exploit that they want to use in the contest, run it by me first and I'll tell you, real world, how much you can get by brokering with very legitimate -- .gov non-publishing -- buyers," he wrote in the e-mail message.

Other researchers, including Dai Zovi, a former security researcher that now manages security for a financial firm, agreed that lower prizes would mean less competition.

The security team at TippingPoint met Monday and decided to essentially double the rewards, but only offer the prizes to the first person to compromise each machine. On the first day of the competition, only remote exploits that do not require user interaction will be allowed, and successful exploitation will earn the researcher $20,000. On the second day, the contest officials will allow some user interaction via applications that are part of the default install -- any successful attacks will earn $10,000. The last day of the conference will also allow popular third-party applications to be used as a vector of attack, which will earn security researches $5,000.

The controversy over the bounty to be paid for the software bugs underscores the continuing uncertainty over what vulnerabilities are worth. Determining the value of vulnerability information is difficult because researchers want to protect their discoveries and buyers do not reveal the amount they pay for flaws. While TippingPoint, a wholly-owned division of networking company 3Com, typically buys information on exploitable software flaws for anywhere from $2,000 to more than $10,000, private buyers -- such as government agencies -- can offer more than ten times that amount for serious flaws.

"My personal opinion is they not being valued correctly," said security manager Dai Zovi. "There is a wide discrepancy of what people can get for a vulnerability through a public sale and a private sale."

Yet, TippingPoint's Foslof argued that the contest makes vulnerabilities in all three platforms -- Mac, Windows and Linux -- of equal value, which is not necessarily the case.

"Through ZDI we look at every vulnerability on its own merits," Forslof said. "We are looking at installed base, what our customers use. We might not have any clients that use Ubuntu. How do you kind of determine a price that is going to be fair, while not knowing what the vulnerability will be?"

Last year's winner, Dai Zovi, said he would have competed even without the sweetened deal, that the challenge is incentive enough for many people.

"I (would) still participate," he said. "Regardless of the prizes, it is still fun."

If you have tips or insights on this topic, please contact SecurityFocus.

    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus