Three independent vulnerability researchers have a message for the software industry: Show us the money.
Dino Dai Zovi, Alex Sotirov and Charlie Miller first announced their new meme in March at the CanSecWest hacker conference. During one of Miller's talks, Dai Zovi and Sotirov held up a hastily made cardboard sign. It declared: “NO MORE FREE BUGS.”
The moment may have been impromptu, but the sentiment had been building for years. Some researchers believe they are getting the shaft from software developers, such as Microsoft, who don't pay the flaw finders.
Responsible bug hunters have two avenues from which to choose: Provide the information for free to the affected vendor – which typically will credit the researcher in a vulnerability announcement – or sell to a bug bounty program, such as those from TippingPoint or iDefense.
Neither option is particularly attractive, especially one that only offers a thank-you, Dai Zovi said. Bounty programs, meanwhile, can choose which flaws they want and, with few competitors, can pay smaller fees.
“Vendors have been getting a freebie for a while,” Dai Zovi said. “[But] why would I want to sit down and volunteer to find a bug in someone's browser when it's a nice, sunny day outside?”
If software vendors were forced to pay, they would be more incentivized to build software free of bugs before it is shipped, he said. And it would help keep exploits out of the hands of a black-market buyer.
The vendor mindset needs to change, Michael Sutton, VP of security research at Zscaler, said. “We're still treating it as though researchers have a moral obligation to hand over vulnerabilities. We live in a free market and valuable information won't remain free.”
But Gunter Ollmann, VP of research at Damballa, said companies already are investing plenty in finding vulnerabilities, which often includes hiring consultants.
“If the name of the game is making money – and for most of the research people I know it is – then the way to make real money is to sell your services by the hour or by the day, but not by the bug,” said Ollmann, who knows some white hats earning up to $300,000 a year this way.
Christopher Budd, security response communications lead for Microsoft, said the company stands by its policy.
“Many times [an] acknowledgement can help drive customers to a particular researcher's site, which can result in a positive public perception for that researcher and even potentially increased business.” – Dan Kaplan