I’ve been auditing for the past week now, and have uncovered several vulnerable bugs in the Linux Kernel, and a bug in some popular userland code. The question now: what to do with them?
Previously when I’ve discovered a vulnerability, I would contact the developers in control of the software and work with them towards developing a patch. Working with developers also helps establish a rapport and trust with software makers. It also helps establish the contributer as exactly that; someone who contributes development time to opensource. This approach was very successful in 2002 when I last did any auditing.
Today, things are different. Having not worked in computing for the past 4 to 5 years, and now having the status of a university student means I am financially worse off than I was in 2002. $1000 would make a huge impact to my financial status.
www.idefense.com and the www.zerodayinitiative.com pay money for software vulnerabilities. IDefese pays from $100 to $1000 for most bugs, and for bugs in OpenSSH or Apache and other critical software, awards are in the tens of thousands of dollars. The zero day iniative make custom bids on each vulnerability.
Both companies require a person to submit or disclose the vulnerability on their secure web site. After evaluation, the vulnerability is given a monetary bid by the company to establish rights to it, or no bid is made. IDefense/ZDI then works with the vendor to establish a resolution. The submitter gets credit in any advisories released.
There isnt as much glory in submitting vulnerabilities the monetary way. I would prefer to work in conjunction with IDefense/ZDI to develop a patch with the software maker. But I am biased, being 80% developer and 20% security auditer. Many people would see the advisory credit as 99% of the glory.
The bugs I’ve discovered in the last week are not high impact bugs. All but the one userland bug I found are local in nature and require specific hardware or configurations. For all the bugs, priviledge escalation is not the direct result of exploitation. I am truely skeptical if IDefense/ZDI will make a bid on these bugs. But they are still vulnerabilities none the less, and if for each bug I was offered $100, I would, financially, be better off.
I encourage people to write comments to this post, in regards to how they think bugs should be handled. Is IDefense/ZDI popular in the community? Or is the feeling that direct communication with the developers/vendors should be made?