By: Michael Sutton

Hugs Not Bugs

Analysis

At CanSecWest last week, a group of researchers (Charlie Miller, Alex Sotirov and Dino Dai Zovi) stirred up a fair bit of controversy by pushing a "No More Free Bugs" campaign. The premise of which was that they are unwilling to put in the time and effort to research software vulnerabilities and then simply hand them over to software vendors free of charge. This concerned those in the 'Hugs Not Bugs' camp who feel that researchers have a moral obligation to turn over vulnerability details to software vendors free of charge, as such an approach is in the best interest of all involved.

 
Full Disclosure
 
Before diving into my personal views on the subject of paid vulnerability research let me first provide full disclosure (blogger style). I know and respect the researchers that stood up an CanSecWest. Charlie Miller in particular served as a technical reviewer for the Fuzzing book that I co-wrote along with Pedram Amini and Adam Greene. Charlie is a great researcher and a stand-up guy.
 
My stance on paying for vulnerability research certainly isn't much of a secret. I ran the iDefense/Versign Vulnerability Contributor Program (VCP) for several years. We secured the intellectual property rights to hundreds of vulnerabilities during my tenure and worked with affected vendors to ensure that patches were ultimately produced for all issues. Our motivation was certainly financial and was driven by acquiring early access to vulnerability information and providing workarounds to clients until official patches became available. TippingPoint/3com went on to launch a similar program with their Zero Day Initiative (ZDI), which was actually launched by former iDefense employee, David Endler who was instrumental in launching the VCP program as well.
 
During my time at iDefense I came to realize the value of vulnerabilities. I also came to understand just how much software vendors benefited from such information. Bugs are not good for vendors as they result in negative publicity and reduce consumer confidence in a given product or vendor. Therefore, vendors have a very real incentive to ensure that they receive vulnerability information as quickly as possible and that such information does not become public knowledge. For a long time, vendors have promoted the hugs not bugs philosophy. Why wouldn't they? When researchers freely hand over vulnerability details, vendors receive monetary value at no cost and therein lies the failure. In a free market economy, value is not given away for very long before a market evolves. This led to the creation of programs such as the VCP and ZDI. Vendors have also heavily benefited from these programs as they still receive vulnerability details free of charge. The fee to the researcher is paid by a middle man.
 
Current State
 
It still amazes me that the VCP and ZDI remain the only open, main stream programs paying for vulnerabilities. Believe me, there is plenty of room at the party for others. Bugs are not going away. That does not however mean that there aren't other entities willing to pay for vulnerabilities. Unfortunately, other entities have no interest in sharing vulnerability information with software vendors. Government entities and criminal organizations are very willing to pay for vulnerabilities. However, they have very different motivations and seek to use the information for offensive purposes meaning that they have little interest in seeing patches emerge.
 
Despite understanding the value of vulnerabilities, vendors have been unwilling (at least openly) to pay for such information. The argument given is typically that they fear they will be held hostage by researchers demanding increasingly outrageous sums of money and threatening to publicly disclose the bug if they aren't paid. This argument just doesn't fly. Bug hunters already have numerous avenues to profit form their research should they choose to. If they seek the highest bidder they will find one and vendors will never be in the bidding process to begin with.
 
My Solution
 
My stance is simple. It's time for vendors to start paying for the value that they receive. Mozilla has for years had a program known as the Mozilla Security Bug Bounty Program. The program is quite basic - contributors receive $500 (and a t-shirt!) for critical security bugs which meet specific criteria. Now $500 pales in comparison to the $50K+ that may be available for the juiciest bugs but in my opinion the total value isn't the point. Those motivated solely by cash will go elsewhere, but I believe that the majority of researchers have little interest in negotiating back room deals to get full value. Rather, they are motivated by doing good, but want to be compensated to at least some degree for their hard work.
 
What's the appropriate price point for vendors? I'll leave that to the free market to decide. After all, that's what the invisible hand is for. Let's however consider the $5K value that was used by the Pwn2Own contest. By my count, during 2008, Microsoft issued 46 critical advisories. That amounts to $230K in payouts for such information. Now let's double that number to convert from advisories to actual vulnerabilities. We're still at less than $500K, which amounts to less than the salary of a three to four experienced bug hunters on staff and even if Microsoft hired a hundred bug hunters they'd fail to identify all of the bugs found by outside researchers. It's also 2x the value that Microsoft is willing to pay as a bounty to catch those behind the Conficker worm. A worm that wouldn't have seen the light of day if critical Microsoft vulnerabilities had not existed in the first place.
 
Let's be honest, vendors have been paying for vulnerability knowledge for some time through employee salaries, lavish parties, recruiting efforts, etc., so why has it always been considered taboo to pay for the information directly? It time for a leading vendor (I'm talking to you Microsoft) to step up and establish a program to pay third party researchers for the work that they do. Establish fixed prices (non-negotiable) for vulnerabilities that fit into your already well established severity rating system. Don't worry about paying more than everyone else but pay enough to compensate researchers for their time. I suspect that you'll be pleasantly surprised by the results.
 
Hugs Not Bugs was dead a long time ago...Charlie, Dino and Alex just made it official.
 
- michael

Learn more about Zscaler.