Bug bounty program answers critics

Could hackers use TippingPoint signatures of paid-for flaws to reverse-engineer exploits?

The man who launched both of the security industry's major bug bounty programs Thursday defended the idea of paying for vulnerabilities, but also said he has responded to critics by putting a tighter lid on bug details to make sure they don't fall into the wrong hands.

Dave Endler, now the director of research at TippingPoint, a producer of intrusion-prevention systems (IPS) and part of 3com, created the company's Zero Day Initiative (ZDI) cash-for-crashes program in July 2005. In August 2002, Endler launched a similar company at iDefense, a security intelligence provider now owned by VeriSign.

ZDI, for instance, receives an average of about 40 new vulnerability submissions per month, and buys about one out of 10 submitted. ZDI does not disclose what it pays for a vulnerability, but it does run a "frequent-flier" kind of program that can pay out bonuses as high as $20,000 to top-ranked researchers. TippingPoint uses the vulnerabilities it buys to build signatures for its IPS wares, giving it a jump on the competition that it feels is worth what it pays since it can protect customers from not-yet-public flaws.

But from the moment Endler's brainstorms appeared, other security researchers and professionals lambasted the idea. That criticism hasn't stopped, although Endler said it has diminished. Even so, misconceptions about bounty programs like ZDI continue.

"Many have characterized it as paying hackers, and that's just not the case," said Endler. About 40% of ZDI's top researchers -- the program boasts more than 600 in its community of contributors -- work in the security industry, according to a poll TippingPoint conducted. Just 10% admitted that they would consider selling their findings to the cybercriminal underground if they were offered more money, the poll found.

"In the past few years, a growing research community has been created," said Endler. "And some of them don't want to be burdened with the disclosure process required by vendors. Some of them don't want, for example, to do the extra work that a vendor may ask for."

At and after the annual Black Hat security conference held two weeks ago in Las Vegas, however, critics again blasted bug bounties in general and ZDI in particular. In a Black Hat presentation, Robert Graham, co-founder of Errata Security, said that hackers can reverse-engineer the IPS signatures ZDI releases -- or any anti-malware signature -- and using that, piece together enough information to come up with a working exploit. Graham said at Black Hat that there was some evidence that suggested a pair of underground hacking groups used ZDI signatures to build zero-day exploits.

"We've seen no evidence of that," Endler said. "We have a lot of monitoring devices out there, and have picked up nothing. And we haven't heard anything from an affected vendor, which we would certainly expect."

Nevertheless, Endler said, TippingPoint made several changes to its signature distribution. "[Graham] pointed out a few areas of weakness, and we're working with [him]," said Endler. TippingPoint pushed an update to the operating system of the IPS products that completely changed the format and delivery mechanism of its signatures. "We also changed our model for distributing zero-day signatures," he added. "We removed them all from our products, and going forward, they'll be available only as an opt-in.

"We'll continue to release [zero-day signatures], but to a smaller circle. We'll know who [each recipient] is." TippingPoint has done additional vetting of customers who request the zero-day signatures to further tighten security.

Other researchers took post-Black Hat shots at ZDI. In a posting to the IBM Internet Security Systems (ISS) blog, Gunter Ollmann, director of ISS's X-Force research lab, seconded Graham's criticisms of TippingPoint's bounty program. He also took exception to TippingPoint claims that ZDI gives advance notice of its findings to other security vendors, as well as its justifications for the program.

"As far as I'm concerned, these 'justifications' of theirs are a load of bollocks," Ollmann said, adding that ISS has never been given advanced notice by TippingPoint.

Endler declined to respond directly to Ollmann's charges, but did say TippingPoint shared its bought-and-paid-for zero-day vulnerabilities with any legitimate security vendor. "We would be more than willing [to share with ISS," said Endler. "They just have to ask for it.

"In a lot of ways, [disagreements over paying for vulnerabilities] comes down to a philosophical debate about disclosure," Endler said. But there's another element to the criticism of ZDI, and other bounty programs, he said. With the explosion in security research tools, the bar's been dramatically lowered for entry into the vulnerability hunting community.

"That's a good thing for us, because it expands the research community. There are all that many more potential researchers looking for vulnerabilities." Critics, he said, are usually old-school researchers, who made their bones in the field long before the number of discovered and disclosed vulnerabilities -- and competition for them -- climbed.

"Many of these people are just living in the past," Endler said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?