By Sean Hargrave
January 17 2008
This year computer users will be more exposed to cybercriminals than
ever before. It's not just because online crime is so attractive to
identity theft gangs but, ironically, because the computer security
industry that is supposed to protect users has deteriorated - from one
which shared everything about newly discovered weaknesses to what some
within it now call a "protection racket".
It may sound alarmist, but researchers such as Paul Henry,
vice-president of technology at Secure Computing, are using exactly that
language to describe a move by a small minority of security companies
now paying hackers for exclusive access to newly discovered
vulnerabilities. This ensures their customers are protected while the
software vendor works out a solution and rolls out a patch, a process
that can take weeks.
"The security industry is fast becoming a protection racket. There's no
other word for it," Henry says. "The tradition has always been for
vendors to share information on vulnerabilities so we can all protect
our customers. Now you've got hackers being given a so-called legitimate
route of selling vulnerabilities to a single company who then protect
"It's not only wrong, because it only protects one company's customers,
it also gives a lucrative market for hackers. They don't have to run the
risk of going to jail any more by actually using a vulnerability, they
can just threaten you with it and they get paid. It's extortion."
The number of flaws that can be exploited in software is growing fast:
last year alone the US National Vulnerability Database (nvd.nist.gov), a
clearing house, noted 6,680 new ones across a huge range of products and
operating systems. That represented a dramatic slowing of growth after
two years in which it had grown from just 1,281 in 2003. A forecast by
analysts Gartner suggested that the security industry would be worth
$9.1bn (4.6bn) in 2007, up by 10 per cent from the $8.2bn of 2006
(tinyurl.com/yvjxgl). The rewards for getting an edge are therefore
Henry claims he does understand how the market for selling
vulnerabilities on an exclusive basis has come about, blaming well-known
software companies for not treating security researchers better.
"There have been cases where people reporting vulnerabilities to
software companies have been treated terribly and threatened with legal
action because the vendors just don't want to look stupid," he says.
"Security researchers that have found a vulnerability won't get paid by
a vendor, and if they think they actually might end up talking to their
lawyers and being threatened, then it's hardly surprising they end up
selling vulnerabilities to security companies. It's just a shame as it's
opened the door for extortion."
The two companies that spring to mind when executives like Henry talk
about extortion are Tipping Point and WabiSabiLabi. The former is the
most notable security company paying "security researchers" for
exclusivity on vulnerabilities and its patches, while the latter is
unashamedly set up as an auction house for vulnerabilities. Security
researchers - though others may prefer to call them hackers - can go to
WabiSabiLabi to report a vulnerability they have found: it is then
auctioned to the highest bidder. The site takes what is believed to be a
According to Yuval Ben-Itzhak, chief technology officer of San Francisco
security company Finjan, this approach of buying or auctioning
vulnerabilities goes against everything responsible security businesses
should believe in.
"I really don't like this paying hackers strategy. It rewards them and
it leaves computer users more vulnerable," he says. "Responsible
companies share information, they build up trust over years and have
routes to share vulnerabilities, always acknowledging where the first
report has come from, so that company or researcher concerned is
applauded for their help. To my mind, you can't trust hackers, so if
you're a responsible company you spend money on research rather than
handing it over to extortionists."
Terri Forslof, manager of security response at Texas-based Tipping
Point, defends the company's strategy, pointing out that it means
security researchers can report vulnerabilities and be rewarded without
being tempted to sell their knowledge to criminals - who can pay a lot
more. "When you've got security researchers fearing they'll be
threatened with legal action if they report vulnerabilities, it's not
surprising they come to us," she says.
"We can deal with the software vendor for them and ensure they get
rewarded for their vulnerability. The software vendor is informed of any
vulnerabilities we buy and we do not release details of what we have
bought to the outside world. It's true that our customers get protection
from the problem before the software vendor rolls out a patch for the
issue, but we don't see how that is a problem for our customers.
"We are an option that allows security researchers to be rewarded for
their efforts without having to go to the dark side of criminality,
which has to be good for everyone. We also believe that if the people
coming to us don't find those vulnerabilities than someone else will, so
it's better that they get reported to us than be sold to criminals."
However, to security companies based around sharing information, the
argument does not carry much weight. Mary Landesman, senior security
researcher at ScanSafe and a former security expert at Microsoft,
believes those who do not share vulnerabilities are deluding themselves.
"Do they really know that Hacker A is not also somewhere else selling a
vulnerability calling himself Hacker B?" she asks. "Do they know they're
not paying for something that hasn't been discussed with another hacker
who could go on to exploit the vulnerability and damage the vast
majority of computer users that won't have protection?
"They talk about security researchers being harshly dealt with, but I
can assure you at the hacker conferences they are well wined and dined.
Software vendors only get angry when vulnerabilities are irresponsibly
released to the public before they've had a chance to work on them. If a
security researcher wants to report a vulnerability as an altruistic
gesture they can do, but if they're motivated by money, blaming the
software vendors is an easy excuse for selling the exploit rather than
giving it away."
Geoff Sweeney, chief technology officer of the Australian global
security business Tier 3, agrees and points out that the security
researcher market is far more clouded than the likes of Tipping Point
would like to make out. "They talk about white- and black-hat
researchers but there's a lot of grey in between," he says.
"I think there's some truth in the software vendors making a rod for
their own back by treating researchers badly, prompting them to sell the
vulnerabilities they uncover; but it's still extortion, it's paying
someone to hand over something they're threatening computer users with.
Plus, if money is their priority over reporting it to the software
vendor, why offer them money? You can't compete with what the black
market offers anyway, so why legitimise it so it looks OK to find
vulnerabilities and sell them to security companies as exclusives?"
Although the chief executive of WabiSabiLabi failed to keep to several
interview slots to answer the claims against his Swiss-based company, a
spokesperson insisted that the company was simply offering security
researchers an alternative to selling on the black market. The spokesman
did not agree that WabiSabiLabi has a conflict of interest doubling up
as an auction house for vulnerabilities as well as marketing itself as a
security consultancy which would, by definition, mean it were the only
consultancy with access to details of undisclosed vulnerabilities which
other companies have paid to have exclusive access to.
Subscribe to InfoSec News