This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; charset=UTF-8
By Lisa Vaas
June 7, 2007
Security researchers, are you tired of handing your vulnerability
discoveries over to your employer, as if that were what you're paid to
do? Helping vendors securing their products =E2=80=94for free=E2=80=94 so that their
users won't be endangered by new vulnerabilities? Showing your hacking
prowess off to your friends, groveling for security jobs or selling your
raw discoveries to middlemen for a fraction =E2=80=94a pittance=E2=80=94 of their real
Take heart, underappreciated, unremunerated vassals, for a new firm is
offering to work with you on a vulnerability patch that they will then
patent and go to court to defend. You'll split the profits with the
firm, Intellectual Weapons, if they manage to sell the patch to the
vendor. The firm may also try to patent any adaptations to an intrusion
detection system or any other third-party software aimed at dealing with
the vulnerability, so rest assured, there are many parties from which to
potentially squeeze payoff.
Intellectual Weapons is offering to accept vulnerabilities you've
discovered, as long as you haven't told anyone else, haven't discovered
the vulnerability through illegal means or have any legal responsibility
to tell a vendor about the vulnerability.
Also, the vulnerability has to be profitable=E2=80=94the product must be "highly
valuable," according to the firm's site, "especially as a percentage of
the vendor's revenue." The product can't be up for upcoming
phaseout=E2=80=94after all, the system takes, on average, seven years to churn
out a new patent. The vendor has to have deep pockets so it can pay
damages, and your solution has to be simple enough to be explained to a
Because goodness, you will be looking at juries and lawyers, you can
count on that. Intellectual Weapons says this isn't for everybody. The
firm says it "fully [anticipates] major battles."
"We need people who have the emotional stability and the tenacity to
persevere with each project=E2=80=94from describing the vulnerability, and
helping develop the fix, through to generating and enforcing the IP,"
the firm states on its site.
Patenting may be a new twist, but the idea of profiteering from
vulnerabilities is nothing new. iDefense Labs has its Vulnerability
Contributor Program, and TippingPoint has its Zero Day Initiative. Even
the Mozilla Foundation tried it, although of course the open-source
software project dedicated funds to bugs found in only its own code.
The blogosphere is frothing.
"Nice. The race to the bottom started by [TippingPoint parent company]
3Com and [iDefense] is now complete. I for one hope that Matasano is
able to use this idea in regards to a TippingPoint vulnerability," wrote
Chris_BJune in a response to a blog from security firm Matasano's Thomas
According to Ptacek, the reasons why nobody should care about
Intellectual Weapons includes the fact that the time required to
complete a patent filing is over seven years. Add on to that the years
it will take to "initiate, litigate and prevail in a patent claim,
especially against an established software vendor," Ptacek said.
"Presuming you do prevail; you likely won't."
Intellectual Weapons has plans to deal with these inconveniences,
however. The company says that it may try to use a Petition to Make
Special in order to speed up the examination process when filing a U.S.
patent. Another strategy the firm proposes using is to go after a
utility model rather than a patent=E2=80=94a utility model being similar to a
patent but easier to obtain and of shorter duration=E2=80=94typically six to 10
"In most countries where utility model protection is available, patent
offices do not examine applications as to substance prior to
registration," the company says. "This means that the registration
process is often significantly simpler, cheaper and faster. The
requirements for acquiring a utility model are less stringent than for
Ptacek calls utility models "patents-lite." Other nicknames are "petty
patent," "minor patent" and "small patent." Such patent workarounds are
available in some EU countries and other countries including Argentina,
China, Malaysia, Mexico, Morocco, Philippines, Poland, Russia, South
Korea and Uzbekistan.
"Would it be [possible] for an outfit like 'Intellectual Weapons,'
exploiting the services of contingency-fee lawyers, to get an injunction
against a Microsoft security fix in the Republic of Moldova? Anything's
possible," Ptacek said.
He doesn't believe it will happen, however, given that international
patents have to be fought jurisdiction by jurisdiction. "In this case,
you'd be slogging through those fights for a shot at a tiny sliver of
the revenue generated by the products you're targeting. This is nothing
like NTP vs. RIM, where NTP's claims enabled RIM's entire product."
Content-Type: text/plain; charset="us-ascii"
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com