Security flap: 'Responsible disclosure' debate flares anew

When a recent hacking contest won security researcher Dino Dai Zovi a $10,000 award for breaking into a MacBook Pro computer by exploiting a flaw he’d discovered, the contest reignited a long-simmering debate over “responsible disclosure” of vulnerabilities.

Research firm Gartner denounced public hacking contests as an inappropriate way to conduct vulnerability research, noting such contests can run “contrary to responsible-disclosure practices” that give vendors a chance to develop patches or remediation before public announcements. TippingPoint paid the $10,000 award for the conference-run contest and found itself under fire from competitors, including McAfee and Internet Security Systems, both of which oppose paying rewards for vulnerability discoveries.

For the enterprise network manager, the notion of responsible disclosure has centered on the idea that major security flaws in products they use wouldn’t be shared publicly in any way until a software vendor corrected them. That's the underlying premise of what’s called the Organization for Internet Safety (OIS) guidelines first released five years ago and updated in 2004. An effort spearheaded by Microsoft, the OIS guidelines now face criticism from some of the very people who wrote them, who argue enterprises should know about serious flaws early for purposes of security workarounds.

At the same time, there’s the question of whether paying big bucks for critical software-hacking exploits makes the enterprise network safer or is simply creating more risk as a market for hacker discoveries grows.

Behind all the sound and fury, it’s clear that security vendors can profit by being the first in the know about critical unpatched software flaws that would affect hundreds of thousands of users.

“We’re against public hacking contests but we are in favor of actively looking for vulnerabilities,” says Mike Denning, vice president of security services at VeriSign, which has 40 full-time internal researchers and works with 300 outside contractors, as Denning calls them, to gain exclusive rights to new software vulnerabilities, the more critical the better. These exclusive rights mean the researcher won’t sell them to anyone else, nor discuss them, allowing VeriSign to make whatever use of the information they wish.

VeriSign, which got into the pay-for-research information business by acquiring iDefense two years ago, won’t say what it pays these contractors for original research. But VeriSign offers a “vulnerability notification service” that runs into the “multiple six-figures per year,” for purchase by enterprises, government agencies and software vendors, Denning says. He says that at the same time the vulnerability information is sent to subscribers, it is also shared with the software vendor whose software needs to be fixed. The advantage for customers is they know about problems early and can put in workarounds, though word about flaws could leak out before a vendor had a security fix ready.

VeriSign and TippingPoint, a 3Com division, are the only two security vendors widely known to be paying independent researchers for vulnerability information, with TippingPoint incorporating the information into its Digital Vacine service for intrusion-prevention systems and VeriSign with the vulnerability-notification service.