Monday, July 10, 2006

buying and selling exploits

Rsnake's post on a Google's recent XSS woes spurred some interesting thoughts about the market value and marketplace for of 0-day vulnerabilities. The premise being that if a "good guy" discovers a vulnerability, they are expected by the vendor and the community, to disclose it responsibly so it may or may not be fixed. In return the good guy can expect some credit for their work. The issue is finding these vulnerabilities takes "work" and "expertise". Sure, some more than others. The good guy also runs the risk of angering people, which Rsnake encountered, making the process of disclosure something not worth repeating.

The important part to understand is certain vulnerabilities have significant value the black hat element. I'd expect the bad guys are finding and buying 0-days to be a lot more common than we'd like to believe. They have no problem monetizing the information by exploitation, extortion, or whatever else they can think of. So the question Rsnake raised about developing a marketplace for vulnerabilities (an auction) is something worth considering. A marketplace where the good guy and the vendor gets what they want and the user is better protected. Nice.

I knew I'd come across this line of thinking before so I had to do some research. Ironically using Google.

I did recall that Mozilla had a Bug Bounty program and LiveJournal had the XSS security challenge. These initiatives seemed to be at least somewhat successful. Also ironically I discovered that at the end of 2005, "eBay pulls vulnerability auction", that was offering up an MS Excel vulnerability, "which could allow a malicious programmer to create an Excel file that could take control of a Windows computer when opened." Saying that "the sale of flaw research violates the site's policy against encouraging illegal activity." Fair enough. Well-recognized bug-finder Greg Hoglund also toyed with the 0-day marketplace idea. "Turning to auctions to maximize a security researcher's profits and fairly value security research is also not a new idea. Two years ago, security expert Greg Hoglund had reserved the domain "" and intended to create an auction site, but worries over liability caused him to scuttle the plan a few days before the site went live, he said."

Picking up from there more recently, there have been a couple of companies including 3Com's TippingPoint that purchases vulnerabilities though their zero day initiative program. Though I'm not familiar with their current stance of live web application vulnerabilities. So developing a marketplace for vulnerabilities is not exactly unheard of, but I do think there is a gaping hole there when it comes to custom web applications.

As I've said on many occasions before, in webappsec the issue it NOT disclosure, it's discovery:

"Web application security" vulnerabilities are completely different issue because they exist on someone else's server. The infosec community hasn't dealt with the legal issues of "discovering" vulnerabilities, only with "disclosing" them. Researchers have played the role of good samaritan by finding vulnerabilities in software thats important. So far, the software has run on our PC's. However we're moving into a world where the important software is custom web applications and not installable elsewhere. The same people whom provided the layer of security checking can no longer do so in a safe legal fashion. To those who say "do not test a system without written consent", offer good but short-sighted advice. Organizations providing the web-based services are not going to be handing out "hack me if can" authorization letters.

Perhaps Google, Yahoo, Microsoft or some other big web service operator could openly compensate the people who find vulnerabilities in their custom web applications and save everyone including themselves some headache. If LiveJournal can do it, hey, maybe they can to.

No comments: