Bug bounty program answers critics

Could hackers use TippingPoint signatures of paid-for flaws to reverse-engineer exploits?

The man who launched both of the security industry's major bug bounty programs Thursday defended the idea of paying for vulnerabilities, but also said he has responded to critics by putting a tighter lid on bug details to make sure they don't fall into the wrong hands.

Dave Endler, now the director of research at TippingPoint, a producer of intrusion-prevention systems (IPS) and part of 3com, created the company's Zero Day Initiative (ZDI) cash-for-crashes program in July 2005. In August 2002, Endler launched a similar company at iDefense, a security intelligence provider now owned by VeriSign.

ZDI, for instance, receives an average of about 40 new vulnerability submissions per month, and buys about one out of 10 submitted. ZDI does not disclose what it pays for a vulnerability, but it does run a "frequent-flier" kind of program that can pay out bonuses as high as $20,000 to top-ranked researchers. TippingPoint uses the vulnerabilities it buys to build signatures for its IPS wares, giving it a jump on the competition that it feels is worth what it pays since it can protect customers from not-yet-public flaws.

But from the moment Endler's brainstorms appeared, other security researchers and professionals lambasted the idea. That criticism hasn't stopped, although Endler said it has diminished. Even so, misconceptions about bounty programs like ZDI continue.

"Many have characterized it as paying hackers, and that's just not the case," said Endler. About 40% of ZDI's top researchers -- the program boasts more than 600 in its community of contributors -- work in the security industry, according to a poll TippingPoint conducted. Just 10% admitted that they would consider selling their findings to the cybercriminal underground if they were offered more money, the poll found.

"In the past few years, a growing research community has been created," said Endler. "And some of them don't want to be burdened with the disclosure process required by vendors. Some of them don't want, for example, to do the extra work that a vendor may ask for."

At and after the annual Black Hat security conference held two weeks ago in Las Vegas, however, critics again blasted bug bounties in general and ZDI in particular. In a Black Hat presentation, Robert Graham, co-founder of Errata Security, said that hackers can reverse-engineer the IPS signatures ZDI releases -- or any anti-malware signature -- and using that, piece together enough information to come up with a working exploit. Graham said at Black Hat that there was some evidence that suggested a pair of underground hacking groups used ZDI signatures to build zero-day exploits.

"We've seen no evidence of that," Endler said. "We have a lot of monitoring devices out there, and have picked up nothing. And we haven't heard anything from an affected vendor, which we would certainly expect."

Nevertheless, Endler said, TippingPoint made several changes to its signature distribution. "[Graham] pointed out a few areas of weakness, and we're working with [him]," said Endler. TippingPoint pushed an update to the operating system of the IPS products that completely changed the format and delivery mechanism of its signatures. "We also changed our model for distributing zero-day signatures," he added. "We removed them all from our products, and going forward, they'll be available only as an opt-in.

"We'll continue to release [zero-day signatures], but to a smaller circle. We'll know who [each recipient] is." TippingPoint has done additional vetting of customers who request the zero-day signatures to further tighten security.

Other researchers took post-Black Hat shots at ZDI. In a posting to the IBM Internet Security Systems (ISS) blog, Gunter Ollmann, director of ISS's X-Force research lab, seconded Graham's criticisms of TippingPoint's bounty program. He also took exception to TippingPoint claims that ZDI gives advance notice of its findings to other security vendors, as well as its justifications for the program.

"As far as I'm concerned, these 'justifications' of theirs are a load of bollocks," Ollmann said, adding that ISS has never been given advanced notice by TippingPoint.

Endler declined to respond directly to Ollmann's charges, but did say TippingPoint shared its bought-and-paid-for zero-day vulnerabilities with any legitimate security vendor. "We would be more than willing [to share with ISS," said Endler. "They just have to ask for it.

"In a lot of ways, [disagreements over paying for vulnerabilities] comes down to a philosophical debate about disclosure," Endler said. But there's another element to the criticism of ZDI, and other bounty programs, he said. With the explosion in security research tools, the bar's been dramatically lowered for entry into the vulnerability hunting community.

"That's a good thing for us, because it expands the research community. There are all that many more potential researchers looking for vulnerabilities." Critics, he said, are usually old-school researchers, who made their bones in the field long before the number of discovered and disclosed vulnerabilities -- and competition for them -- climbed.

"Many of these people are just living in the past," Endler said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?