.

NO MORE FREE BUGS

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Thu Mar 19, 2009 9:54 pm

NO MORE FREE BUGS

http://blogs.zdnet.com/security/?p=2941

Did you consider reporting the vulnerability to Apple?

I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away.  Apple pays people to do the same job so we know there’s value to this work. No more free bugs.


interesting take don't yah think?
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

NickFnord

User avatar

Full Member
Full Member

Posts: 117

Joined: Fri Sep 05, 2008 5:25 am

Post Fri Mar 20, 2009 5:51 am

Re: NO MORE FREE BUGS

the word "extortion" comes to mind....

but yes, discover a bug and report it and you risk a negative reaction by the vendor.  discover a bug and don't report it and you'll be morally conflicted until someone else reports it and it's not your problem any more.  discover a bug and try to use this fact to get money out of people and you risk your soul being tourtured in the 0xFFFFFFFFth level of heck.

just MHO.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Mar 20, 2009 9:44 am

Re: NO MORE FREE BUGS

It's definitely a fine line. 

While the assumed "right / moral" thing to do is report the bug to Apple (or whatever vendor) and get it fixed, there are a growing number of security-related sites and companies who will readily pay for this type of information disclosure, and companies like Apple really need to consider whether they want the information released to those companies, first, before they have a chance to fix them.  Ethics would say the author of the post should just give the exploit info to Apple, but all things considered, one can easily see why a person might just submit it to someone else, who's readily willing to pay for it.  After all, as the post says, "Apple pays people to do the same job so we know there’s value to this work."  So if they can pay people to do it, why can't they shell out a bit for an outsider, who found something that, perhaps, their paid help did not?

I personally wouldn't charge for a finding, unless I was being contracted / paid to look.  If I found something, otherwise, because I felt like digging around - well, that was my choice / my time, and I wouldn't expect someone to pay me for my own fun and excitement.  I'd have to agree with NickFnord, in that, if I went looking, and then asked them for pay for finding their bugs, I'd feel like it was 'extortion.'

It's a rough world we live in...  and definitely a touchy subject to many.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri Mar 20, 2009 9:43 pm

Re: NO MORE FREE BUGS

I can see it both ways. He worked hard to find the vulnerability, why shouldn't he be [legally] compensated for it? If you found something else of value, you would expect to be able to sell it? Oil, gold, new idea...

These software companies spend a lot of money on people to find these bugs, why night compensate the good guys? It doesn't take much "greed" to find a bug and want to sell it for $100,000 on the black market instead of $5,000 on the "legit" market ($100,000 is the going price for a good IE exploit).

A separate, but more important issue is why not compensate someone? You aren't going to win an ethical debate with the black hats since their moral code isn't troubled by such issues. How much did ms08-067 in the wild cost Microsoft and its users? The individuals who released it upon the world were obviously financially motivated, so why not steer them to the legit side by offering to buy it?
Last edited by timmedin on Sun Mar 22, 2009 6:42 pm, edited 1 time in total.
twitter.com/timmedin | http://blog.securitywhole.com
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Sat Mar 21, 2009 1:06 pm

Re: NO MORE FREE BUGS

I'm with timmedin on this one.  Look at MS08-67 as a great example.  While this case is extreme, there clearly is a financial motive in it.  I think vendors have to look at their actual costs and figure out what it's worth to them to find out about this kind of thing before it's released into the wild.  For that matter, I think they need to look at competing with the black market prices.  MS can afford it.  Every time someone uses a zero day (and its later found out) their image suffers. 

A vendor can prevent an exploiter from selling their discoveries to the black market simply by being the highest bidder.  Right now all you get is a pat on the back (or scornful remarks) and if you're lucky a chance to speak at one of the many security conferences about your discovery.  Vendors: its time to pony up the dough.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software