Recognize-Security

No More Free Bugs

Posted by Trancer on Mar 25 2009

Read the following argument by Dino A. Dai Zovi, Charlie Miller and Alex Sotirov – No More Free Bugs.

Basically, the argument states:

Security vulnerabilities have high value and finding them is hard work and cost a lot of money. And there’s a market out there for them.
Vendors relays on security researchers to choose the “responsible disclosure” way and report bugs they find (for free).
Reporting security vulnerabilities is a risky business, legally and professionally.
Reporting security vulnerabilities without any legal agreements pretty much sucks.
Reporting security vulnerabilities for free – sucks too.

In my opinion, vendors should have a pre-made agreement, written by the company CSO/security manager, backed up by the company CEO and the company lawyer, for vulnerability disclosure and rewarding methods. Price can be calculated by the vulnerability severity and probability level (CVSS style) and the technical details and further work the security researcher provide. For example, the researcher wrote a PoC exploit code – low value. Researcher wrote a reliable universal exploit code – high value.
This way, security researchers will have more than enough reason to disclose vulnerabilities to vendors and get reward for it as it should be, instead of choosing other way (and in my opinion, the wrong way) to gain profit, either money or just fame.

The opinions about the “no more free bugs” argument around the world are mixed. Ross Thomas of SophosLabs thinks the security industry sunk in to a new level of lameness. Adam O’Donnell say there’s nothing to be excited about and there were never such a thing as free bugs.

I think there is nothing new under the sun. Vendors won’t rush to make vulnerability disclosure rewarding agreements just because three top security researchers state the party is over and no bugs will be given away for free any more. Security researchers and bug hunters are still stuck with the dilemma of the actions to take after finding a bug – responsible disclosure, full disclosure, selling it to whoever are willing to pay or doing nothing with it.

Categories: Security News

1 Comments | Comments RSS | TrackBack URL

One Response to “No More Free Bugs”

iDig.co.il says:

March 25, 2009 at 10:14 am

No More Free Bugs…

דעה לגבי הצהרת No More Free Bugs בעולם אבטחת המידע. הצהרה זו הוכרזה בשבוע שעבר בכנס CanSecWest על ידי שלושה חוקרי אבטחה מוכרים. האם היא ריאלית?…

Recognize-Security Welcome to the Machine March 2009

No More Free Bugs Posted by Trancer on Mar 25 2009 Read the following argument by Dino A. Dai Zovi, Charlie Miller and Alex Sotirov – No More Free Bugs. Basically, the argument states: Security vulnerabilities have high value and finding them is hard work and cost a lot of money. And there’s a market out there for them. Vendors relays on security researchers to choose the “responsible disclosure” way and report bugs they find (for free). Reporting security vulnerabilities is a risky business, legally and professionally. Reporting security vulnerabilities without any legal agreements pretty much sucks. Reporting security vulnerabilities for free – sucks too. In my opinion, vendors should have a pre-made agreement, written by the company CSO/security manager, backed up by the company CEO and the company lawyer, for vulnerability disclosure and rewarding methods. Price can be calculated by the vulnerability severity and probability level (CVSS style) and the technical details and further work the security researcher provide. For example, the researcher wrote a PoC exploit code – low value. Researcher wrote a reliable universal exploit code – high value. This way, security researchers will have more than enough reason to disclose vulnerabilities to vendors and get reward for it as it should be, instead of choosing other way (and in my opinion, the wrong way) to gain profit, either money or just fame. The opinions about the “no more free bugs” argument around the world are mixed. Ross Thomas of SophosLabs thinks the security industry sunk in to a new level of lameness. Adam O’Donnell say there’s nothing to be excited about and there were never such a thing as free bugs. I think there is nothing new under the sun. Vendors won’t rush to make vulnerability disclosure rewarding agreements just because three top security researchers state the party is over and no bugs will be given away for free any more. Security researchers and bug hunters are still stuck with the dilemma of the actions to take after finding a bug – responsible disclosure, full disclosure, selling it to whoever are willing to pay or doing nothing with it. Categories: Security News 1 Comments \| Comments RSS \| TrackBack URL One Response to “No More Free Bugs” iDig.co.il says: March 25, 2009 at 10:14 am No More Free Bugs… דעה לגבי הצהרת No More Free Bugs בעולם אבטחת המידע. הצהרה זו הוכרזה בשבוע שעבר בכנס CanSecWest על ידי שלושה חוקרי אבטחה מוכרים. האם היא ריאלית?… Leave a Reply Click here to cancel reply. Name (required) Mail (will not be published) (required) Website	Categories Advisories Articles Exploitation Exploits LOLz Malware Metasploit Presentations Rec-Sec Security News Tools Vulnerabilities Web Application Security Archives March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 December 2008 November 2008 October 2008 September 2008 August 2008 January 2008 June 2007 May 2007 April 2007 March 2007 February 2007 Pages About Recognize-Security Links BinaryVision BlackHat Security BugSec Ltd. Digital Whisper Extraexploit Inj3ct0r exploit database milw0rm NiX IRC Network NullByte Pankaj Kohli Peter Van Eeckhoutte The Metasploit Project TryThis0ne Udi Mosayev Uninformed xorl eax, eax Meta RSS 2.0 ATOM 1.0 RDF 1.0 Links OPML OpenSearch
Valid XHTML \| Valid CSS \| RSS \| Comments RSS Copyright © 2009 Recognize-Security. Some rights reserved. ~~Security~~ Hacking, However, is an art, not a science.

March 2009

No More Free Bugs

One Response to “No More Free Bugs”

Leave a Reply