There’s been a certain amount of research into the value of security holes in the past few years (for a starter bibliography see the “Economics of vulnerabilities” section on Ross Anderson’s “Economics and Security Resource Page”).
Both TippingPoint and iDefense who currently run vulnerability markets for zero day exploits are somewhat coy about saying what they currently pay (and they both have frequent contributor programmes to try and persuade people not to stick with one buyer, which will distort the market).
The idea is that the firms will bid for the vulnerability, pay the finder (who will keep it quiet) and then work with the vendor to get the hole fixed. In the meantime the firm’s customers will get protection (maybe by a firewall rule) for the new threat — which should attract more customers, and will hopefully pay for buying the vulnerabilities in the first place. The rest of the world gets to hear about it when the vendor finally ships a fix in the form of patches.
It was reported that when TippingPoint came in (giving the impression that they’d be paying out various multiples of $1000) iDefense promptly indicated they’d be doubling what they paid… which one source indicated was usually around $300 to $1000. So competition seems to have affected the market; but the prices paid are still quite low.
However, last December eWEEK reported that some enterprising Russians were offering a 0-day exploit for the Microsoft WMF vulnerability for $4,000 (and it might not have been exclusive, they might sell it to several people).
And now — until the end of March — iDefense are offering an extra $10,000 on top of what they’d normally pay if when Microsoft eventually issue a patch they label a vulnerability as “critical” (viz: you could use it to construct a worm that ran without user interaction).
eWEEK have an interesting article on this, the quotes in which deserve some attention for the (non)grasp of economics that appears to be involved. First off they quote Microsoft as saying “We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers”. That’s an interesting viewpoint — perhap’s they will be submitting a paper to support their view to WEIS 2006?
eWEEK say (they don’t have an exact quote) that Michael Sutton of iDefense “dismissed the notion that paying for vulnerabilities helps to push up the price for hackers who sell flaws on the illegal underground markets”. That suggests either a market in which communication of pricing information is extremely poor; or that Sutton has a new economic theory that will influence the Nobel committee!
In the same article, Peter Mell from NIST is quoted as saying it was “unfair” to concentrate on a single vendor (though I expect iDefense chose Microsoft for their market share and not by tossing a coin!). He was also apparently concerned about the influence on Bill Gates’ fortune, “A third party with a lot of money could cause stock price shifts if they want to”. That’s just “Stock Exchange Operations 101” so I think we can discount that as a specific worry (though WEIS 2005 attendees will of course recall that security holes do affect share prices).
From my own perspective, this commoditisation of vulnerabilities I think opens a bigger can of worms than the potential improvements it offers for security in the big wide world. I think TippingPoint and iDefense are playing with fire. Here are a few (hastily generated) examples:
1. Packaging. Consider big vulnerabilities vs. small. Ok, so they pay more for a big vulnerability than a small one, because it can cause more damage, and it demands more attention to fix. So if I save up ten smaller vulnerabilities and release them all at the same time, that creates much more of a headache for the response team at M$. You can make the vulnerabilities yourself, or you can buy individual vulnerabilities, package them up, and release them in bursts, to cause maximum headache. Then some other poor sod has to buy the bundle to turn it back into a trickle. My point here is that commoditisation of an evil object (“the vulnerability) creates new purely economic ways to be evil, just by manipulating these objects. And so the total amount of evilness gets magnified.
2. The Secret Police. Ok so in these vulnerability companies we have organisations that hoard dirt on other people — like the secret police. So what if they get hacked? What potential fallout could there be? On the other hand, what if they get too powerful?
3. “Legal Blackmail”. This is twisted, but it seems to follow to me, that if you make it your business to pay for vulnerabilities, you should offer a price on any vulnerability, depending on it’s value to you — how much money you can make out of re-selling it, or fixing it first. So how much would TippingPoint pay for a vulnerability in iDefense’s fast patching software? Furthermore, seeing as iDefense explicitly pays for vulnerabilities, why not sell them their own vulnerability? In any other circumstances this would be blackmail, but they can hardly complain.
I am leaning towards supporting these bounties for “zero day vulns”. I know people that claim they have whole libraries of zero day vulns. They save them up “just in case”. You know how geeks can be. A little bit like gunnies that store their grenades and such in the basement “just in case”.
The bad guys in recent years have come into lots of money. They can afford to research their own vulnerabilities. It won’t be long before they use them discretely for targeted attacks. Gone will be the days of massively spreading worms that announce the vulnerability so effectively.
Stiennon – I’m not sure that you’ve thought this through at all.
We’re talking about bounties for “zero day vulns” with no guarantee or knowledge of how those vulnerabilities are going to be used. Tipping Point and iDefence are clearly able to fund their bounties – and somehow I doubt that they’re doing it by immediately releasing the vulnerabilities that they buy.
To quote from the iDefence website:
That’s advance notice – and note that there’s no comment about the use of the vulnerabilities. If I were in that market, it’d be a fine sight better economics to turn around and sell that vulnerability to a select list of well heeled clients, rather than using it for “research” and “product improvement”, and then releasing it.
Further, you’re a number of years out of date if you think that “the bad guys” aren’t already researching and using vulnerabilites discretely for targeted attacks. A recent Washington Post article about crackers using spyware to earn money from advertisers is quite clear about that link.