Michal Zalewski wrote a post about the responsibilities a security researcher has when it comes to vulnerability discovery.
Now I’m not much of a bug hunter myself nor I do this for a living so I can’t say for sure how much time it’s needed to find such bugs. I will instead try to reason on some numbers provided by Dave Aitel from Immunitysec. On dailydave he wrote that it takes about 3 person-months to have a reliable exploit on Windows. A less reliable exploit and for more OSes than just Windows would take on average 1 person-month.
The reasoning behind Michal’s post is that you should give away bugs for free to obtain:
1) peer recognition
2) interesting job offers
3) public shame on negligent(security-wise) companies
Now I would say that to get the first two of them and stay relevant in the community it takes about 3-4 exploits per year(this is by no means the “perfect guide to infosec fame” but I guess that’s a good assessment of what it takes to obtain what Michal said).
So to summarize what you need to do is to spend 4 months of your life each year to: make sure your peers like you, make sure big companies making billions per year are mocked in public and finally have interesting job offers that you probably don’t care about. Not only you can obtain all three of them in thousands of other ways but also as you can easily understand none of those pay your bills. So what we are left with are:
1) Rich people that in their spare time decide to make a name in the infosec industry
2) Skilled people who are looking for a new job (notice though that after they obtain it they will stop doing such research)
3) Criminals and people employed by the aforementioned companies (notice in that case that neither of them has the slightest interest in making the information public to everyone)
In the end this looks to me like a typical “Quis custodiet ipsos custodes?” situation in which everyone has to blindly trust either random and not very motivated people (1 and 2) or companies who will publically ashame themselves by telling the world how much they suck when it comes to security.
Somebody may argue that this is exactly what happens in real life with physical security, eg: law enforcement and everything related to this. There is one objection to that though: you get to vote your president, you don’t get to vote the CEO of a random software company.
At the end of the day you need to chose the least evil and if it is having companies like iDefense, TippingPoint and so forth pay researchers to then apply “responsible disclosure” or convince companies to pay people to have their bugs I’d say that this is definitely the least evil we can wish for.. and I’m not even sure that this is “evil” at all.
Hi Vincenzo,
I just wanted to stop by to clarify: my post is not meant to in any way criticize researchers who work with iDefense, ZDI, or capitalize on their work in some other way.
Instead, I am essentially trying to make two points:
1) That the “no more free bugs” movement seems to be misguided *if* the goal is to convince vendors who, in our opinion, do not care about security, to actually get serious about it, and hire some talent. Full disclosure probably works better than no disclosure.
2) That while doing vulnerability research and publishing your findings (or selling them) might be OK, resorting to sales approaches that seem to flirt with blackmail is much more socially questionable.
Also, while this is tangential to the point I am making, I doubt that any vendor would expect you to develop a reliable, weaponized exploit just to accept a bug report.
Hope this makes some sense
/mz
Hey Michal,
thanks a lot for the clarifications:)
Sorry if I have misinterpreted part of your blog post, I just wanted to point out that imo “no more free bugs”(and selling bugs to iDefense, etc etc) is not about “no disclosure” but about making sure that researchers get what they deserve (money-wise).
Totally agree with you on 2) and that a fully reliable and weaponized exploit is most of the time not required for a vendor.
Cheers,
Vincenzo