by Christopher Rouland

It’s NOT ethical for security companies to buy vulnerability information

Opinion
Sep 12, 20053 mins

Internet Security Systems strongly opposes the business of purchasing security vulnerabilities. Let’s be very clear. Hackers seek out vulnerabilities strictly to improve their opportunity for financial gain through successful exploitation. By trafficking vulnerabilities, they obtain further economic incentive.

Some vendors say they’re doing the industry a service by paying others to uncover vulnerabilities, presumably removing software bugs. I agree it’s a good thing not to have researchers posting harmful zero-day exploits on the Internet without giving the affected vendor time to address the issue. I also agree it’s a good idea for security vendors to collect zero-day information so they can provide preemptive protection capabilities to their products. But these ends are better achieved through controlled research within reputable and established security research organizations.

ISS has cultivated a research capacity inside the company with the purpose of better understanding vulnerabilities and how they can be exploited. Although some vulnerability research culminates in security advisories, the underlying research is critical to provide preemptive protection for entire classes of vulnerabilities throughout a system. The “a la carte” approach to vulnerability research is similar to anti-virus technology – identify threat, respond with signature.

Through deep vulnerability research into entire IT systems, not only are individual weaknesses uncovered, but also a greater degree of protection can be established for the entire system. The “pay as you go” approach to acquire exploits does not allow the financier of this research to advance the protection of their customers and users of the systems being researched.

Supporters of bug ransoms justify their actions by referencing free-market principles. Economist Adam Smith argued an invisible hand exists that silently influences all things in a free market. He certainly wouldn’t have said that the invisible hand is always a benevolent one. Just because trafficking in zero-day vulnerabilities exists, doesn’t mean independent security vendors should contribute to the market.

Demand begets supply in this case. Minimal demand and low prices have kept the quality down in the past. The only way vulnerability bounty programs will prove successful is if prices increase. Bug ransom programs financed by a buyer with deep pockets attempting to corner a market will result in increasing prices.

Customers trust that their vendor partners have thoroughly researched the security vulnerabilities they uncover and offer protection against them. Bounty programs will break down this trust. It is naive to believe the bad guys won’t be working both sides of the economic equation. There is no way to guarantee that a vulnerability has not been sold to someone else, or that it was not stolen or illegally obtained.

Creating an open cash market and outsourcing security research to a community of hackers with questionable motives will most certainly lead to trouble.

Rouland is CTO at ISS. He can be reached at crouland@iss.net.

The opposing viewpoint – by Marc Willebeek-LeMair, CTO at 3Com.

Face-off forum – What do you think? Read and post comments.