The man who launched the security industry's two biggest bug bounty-hunting programmes has defended the idea of paying for vulnerabilities from recent criticism.
Dave Endler, director of research at TippingPoint, now owned by 3Com, created the company's Zero Day Initiative (ZDI) cash-for-hacks program in July 2005. In August 2002, Endler launched a similar company, iDefense, which is now owned by VeriSign.
ZDI receives an average of about 40 new vulnerabilities per month, and buys about one out of 10. ZDI does not disclose what it pays for a vulnerability, but it does run a "frequent-flier" style program that can pay out bonuses as high as $20,000 to top researchers. TippingPoint uses the vulnerabilities it buys to build signatures for its intrusion prevention systems, giving it a jump on the competition.
But from the moment Endler's brainstorms appeared, other security researchers and professionals blasted the idea. That criticism hasn't stopped, although Endler said it has diminished. Even so, misconceptions about bounty programs like ZDI continue.
"Many have characterised it as paying hackers, and that's just not the case," said Endler. About 40 percent of ZDI's top researchers - the program boasts more than 600 in total - work in the security industry, according to a poll TippingPoint conducted. Just 10 percent admitted that they would consider selling their findings to the criminal underground if they were offered more money, the poll found.
"In the past few years, a growing research community has been created," said Endler. "And some of them don't want to be burdened with the disclosure process required by vendors. Some of them don't want, for example, to do the extra work that a vendor may ask for."
At and after the annual Black Hat security conference held two weeks ago in Las Vegas, however, critics again blasted bug bounties in general and ZDI in particular. In a Black Hat presentation, Robert Graham, co-founder of Errata Security, said that hackers can reverse-engineer the IPS signatures ZDI releases - or any anti-malware signature - and using that, piece together enough information to come up with a working exploit.
Graham said at Black Hat that there was some evidence that suggested a pair of underground hacking groups used ZDI signatures to build zero-day exploits.
"We've seen no evidence of that," Endler said. "We have a lot of monitoring devices out there, and have picked up nothing. And we haven't heard anything from an affected vendor, which we would certainly expect."
Nevertheless, Endler said, TippingPoint made several changes to its signature distribution. "[Graham] pointed out a few areas of weakness, and we're working with [him]," said Endler. TippingPoint pushed an update to the operating system of the IPS products that completely changed the format and delivery mechanism of its signatures.
"We also changed our model for distributing zero-day signatures," he added. "We removed them all from our products, and going forward, they'll be available only as an opt-in.
"We'll continue to release [zero-day signatures], but to a smaller circle. We'll know who [each recipient] is." TippingPoint has done additional vetting of customers who request the zero-day signatures to further tighten security.
Other researchers took post-Black Hat shots at ZDI. In a posting to the IBM Internet Security Systems blog, Gunter Ollmann, director of ISS's X-Force research lab, seconded Graham's criticisms of TippingPoint's bounty program. He also took exception to TippingPoint claims that ZDI gives advance notice of its findings to other security vendors, as well as its justifications for the program.
"As far as I'm concerned, these 'justifications' of theirs are a load of bollocks," Ollmann said, adding that ISS has never been given advance notice by TippingPoint.
Endler declined to respond directly to Ollmann's charges, but did say TippingPoint shared its paid-for zero-day vulnerabilities with any legitimate security vendor. "We would be more than willing [to share with ISS," said Endler. "They just have to ask for it.
"In a lot of ways, [disagreements over paying for vulnerabilities] comes down to a philosophical debate about disclosure," Endler said. But there's another element to the criticism of ZDI, and other bounty programmes, he said. With the explosion in security research tools, the bar has been dramatically lowered for entry into the vulnerability hunting community.
"That's a good thing for us, because it expands the research community. There are all that many more potential researchers looking for vulnerabilities." Critics, he said, are usually old-school researchers, who made their bones in the field long before the number of discovered and disclosed vulnerabilities - and competition for them - climbed.
"Many of these people are just living in the past," Endler said