What to do with bugs? Money or Glory.

I’ve been auditing for the past week now, and have uncovered several vulnerable bugs in the Linux Kernel, and a bug in some popular userland code.  The question now: what to do with them?

 Previously when I’ve discovered a vulnerability, I would contact the developers in control of the software and work with them towards developing a patch.  Working with developers also helps establish a rapport and trust with software makers.  It also helps establish the contributer as exactly that; someone who contributes development time to opensource.  This approach was very successful in 2002 when I last did any auditing.

 Today, things are different.  Having not worked in computing for the past 4 to 5 years, and now having the status of a university student means I am financially worse off than I was in 2002.  $1000 would make a huge impact to my financial status.

www.idefense.com and the www.zerodayinitiative.com pay money for software vulnerabilities.  IDefese pays from $100 to $1000 for most bugs, and for bugs in OpenSSH or Apache and other critical software, awards are in the tens of thousands of dollars.  The zero day iniative make custom bids on each vulnerability.

 Both companies require a person to submit or disclose the vulnerability on their secure web site.  After evaluation, the vulnerability is given a monetary bid by the company to establish rights to it, or no bid is made.  IDefense/ZDI then works with the vendor to establish a resolution.  The submitter gets credit in any advisories released.

There isnt as much glory in submitting vulnerabilities the monetary way.  I would prefer to work in conjunction with IDefense/ZDI to develop a patch with the software maker.  But I am biased, being 80% developer and 20% security auditer.  Many people would see the advisory credit as 99% of the glory.

The bugs I’ve discovered in the last week are not high impact bugs.  All but the one userland bug I found are local in nature and require specific hardware or configurations.  For all the bugs, priviledge escalation is not the direct result of exploitation.  I am truely skeptical if IDefense/ZDI will make a bid on these bugs.  But they are still vulnerabilities none the less, and if for each bug I was offered $100, I would, financially, be better off.

I encourage people to write comments to this post, in regards to how they think bugs should be handled.  Is IDefense/ZDI popular in the community?  Or is the feeling that direct communication with the developers/vendors should be made?

4 responses to “What to do with bugs? Money or Glory.

  1. You should have a look at WabiSabiLabi too. (We heard from this site in french security rss/feeds).

    http://www.wslabi.com/wabisabilabi/initPublishedBid.do?

  2. Sell em. Just don’t tell the ‘el8s’, they get a bit pissy🙂

    This bug finding / exploit thing used to be like a gentleman’s sport, and we were all just coders and hobbyists screwing around… there was an unspoken rule that if you noticed a bug in someone’s code, you sent them a quick email, and that was it. Just as a coder, giving a headsup to another coder.. you’d expect the same in return. It’s just good netizenry !

    If you are truly concerned about security and just want to help out when you notice a problem, this would be the only proper and ethical thing to do.. .a quick email from one coder to another.

    Any other form of ‘disclosure’ necessarily serves another interest, whether its fame, fortune or google pagerank. That’s the reality of the situation ! Anyone who bothers to type up more than a snippet of affected code and a suggested fixup is seeking to gain from the vulnerability in some way… even if it’s just to get the opportunity to rant about something in the code comments🙂

    Now all these bugs have actual (or perceived) value and there’s an emerging marketplace for vulns.. the very idea of this used to be offensive to just about everyone involved with security. But the reality is that the market for this stuff will only increase and get far far more disgusting over the next few years!

    This is just the beginning… we already see botnets, 0day trojans and new drop-in exploit plugins for webattacker being sold openly on kiddy forums. The actual exploit coding, payload delivery etc is being constantly abstracted and guified like every other aspect of IT – all you need now is the knowledge of the vulns parameters, and you can plug it straight into your existing attack framework / net…soon, all that will need to be traded is the raw bug info (like how it used to be BITD!)

    So when it comes to vulns… I say to hell with the vendors, the ‘security community’, the reponsible disclosure finger pointers – today there is no such thing as ‘reponsible disclosure’. The bug exists whether you discover it or not. You are not creating the vulnerability, and you definitely are not being paid to audit security products for these vendors, so if you give them ANY information whatsoever regarding a bug in their software, they should be appreciative no matter what form it takes! And they should have NO legal recourse whatsoever, you are a whistleblower, they are at fault!

    Hackers have zero obligation to report bugs, ever. Finding them is time consuming, very difficult and frustrating and 90% of the time unrewarding in any way. If you find and report a bug you should be rewarded – if the vendors won’t pay directly, go to ID/ZDI. If they won’t pay, you can sell the bug privately (post a ‘for sale’ ad on a mailing list and see how quickly the vendors respond ….)

    You’re doing their work for them, and saving them potentially zillions of lost customers, damage to their reputation, etc. They are morally obliged to protect their customers, and yet they fail to do so and will keep failing as long as there is little to no pressure from a business/trade perspective.

    You don’t have the same moral obligations… in fact, you could argue as an expert that you are morally obliged to alert the customer base to the vendors failure to protect their customers by distributing a shoddy product that obviously hasn’t been thoroughly tested!

    In any other industry where the customer stood to lose *so much*, there would be serious government / buereaucratic oversight and consumer protections in place… standards, certifications, manadatory audits / compliance tests…

    But we’re just making all this stuff up as we go along! Noone is in charge, there is no authority on the subject, there’s no ‘standard procedure for mitigating software security issues’ … but if the vendors get their way, there will be… if only to strip your rights as a consumer to seek justice or reimbursement for any losses due to their distributing a poorly designed, broken and potentially dangerous product.

    So sell up big guy. I’ll give you 1k for a nice kernel 0day, even if its just local and only works on taiwanese Celatron36 cpus🙂

  3. Gday Silvio !

    Welcome back ! I thought you’d dropped off the face of the planet, can you mail me and let me know your address ?

    Wade.

  4. Go on, sell it like a pimpstah!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s