In the Twitter gab as last Patch Tuesday was unfolding, researcher Alex Sotirov complained that vendors weren't paying for those who found the bugs in their products, and that this was unjust.
Most of the bug-finding for major products comes from researchers paid by someone for their work. They may work for security consulting firms like VeriSign iDefense Labs and many are independents paid through bug bounty programs such as Tippingpoint's Zero Day Initiative.
This past Tuesday there were credits to:
- Bing Liu of Fortinet's FortiGuard Labs
- Sean Larsson and Jun Mao of VeriSign iDefense Labs
- Ryan Smith of VeriSign IDefense Labs
- Sam Thomas of eshu.co.uk, working with TippingPoint and the Zero Day Initiative,
team509, working with VeriSign IDefense Labs
- An anonymous researcher, working with TippingPoint and the Zero Day Initiative
- Another anonymous researcher, working with TippingPoint and the Zero Day Initiative
Several other vulnerabilities were not credited. Microsoft did describe them as "privately reported." VeriSign and TippingPoint are regulars in the "Acknowledgements" sections of Microsoft security advisories and lots of other folks show up. Here are some of my favorites:
- MS09-049: "Hiroshi Noguchi of Alice Carroll fan club"
- MS09-016: "New York State Chief Information Officer / Office for Technology"
- MS09-018: "Justin Wyatt from the Beaverton School District"
Sotirov noted that it's TippingPoint's and VeriSign's customers who were paying for this research and that Microsoft should be paying too. Surely, I asked, Microsoft does vulnerability research on their own product. At this point another famous researcher, Dino Dai Zovi, piped in to say no: "Apple is the only vendor that I know of that releases patches for vulns found internally."
This rang true; I know I've read Apple advisories that credited internal research and I couldn't recall a Microsoft advisory that credited their own. I looked and not a single vulnerability disclosure (so far) in 2009 was credited explicitly to Microsoft. I asked Microsoft about it.