Gartner: Hack contests bad for business

Contests could lead to mishandling or treating too lightly these vulnerabilities

A pair of Gartner analysts Tuesday denounced a recent hack challenge that uncovered a still-unpatched QuickTime bug, calling it "a risky endeavor" and urging sponsors to reconsider such public contests.

The research manager of TippingPoint, the company that paid US$10,000 for the QuickTime vulnerability and its associated exploit, rebutted by saying that at no time was there any danger of the vulnerability escaping from responsible parties.

Dino Dai Zovi was the first to hack a MacBook Pro at CanSecWest, a Vancouver security conference held two weeks ago. For his trouble, Dai Zovi took home the US$10,000 prize offered by TippingPoint's Zero Day Initiative, a bug bounty program that's been in operation nearly two years.

Security researchers have called the QuickTime bug, which can be exploited through any Java-enabled browser, "very serious." Apple has yet to patch, or announce when it will patch, the vulnerability.

"Public vulnerability research and 'hacking contests' are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," said analysts Rich Mogull and Greg Young in a research note published by Gartner Monday.

"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue ... could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."

"There are a lot of definitions of 'responsible disclosure,'" retorted Terri Forslof, TippingPoint's manager of security research. "What it means to us is that the vulnerability and its exploit are kept quiet and the vendor's given the time to patch the issue.

"It comes down to the facts of the case. The [CanSecWest] organizers took great pains to secure the network that was actually used for the challenge. As for the idea that this added some risk [that the vulnerability would be made public], I don't find it to be the case."

Mogull and Young recommended that security vendors call an end to public contests. "Consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users," they concluded.

"This wasn't our idea," Forslof said. "We didn't host this challenge, and we didn't organize it. It was an on-the-spot decision [to offer the prize]."

Dai Zovi, who dug up the QuickTime bug and crafted an exploit in a 9- to 10-hour stretch, has said the money wasn't his motivation. "The challenge, especially with the time constraint, was the real draw," he said last Friday in an e-mail interview.

"On the record, I think all vulnerabilities should be disclosed only through the vendor or through a responsible third party," said Forslof. "But users were never at risk here."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?