The report, which comes after a contest to discover a vulnerability on the Mac platform, held at the CanSecWest security conference in Vancouver, led to the public discovery of security flaws affecting all browsers on any operating system running QuickTime 2. Apple has since patched the flaw.
Gartner analyst Rich Mogull, one of the authors of the report, said that doing vulnerability research in public comes with "high risk."
Other security contests, like "capture-the-flag" at the annual Black Hat security conference, are tests of skills and don't put systems at risk. "Those are very different from trying to find a new vulnerability that affects a major product line," Mogull told internetnews.com.
The CanSecWest contest came with a $10,000 bounty, offered by network intrusion prevention vendor TippingPoint, which routinely pays for vulnerabilities that are reported through its Zero Day Initiative (ZDI) portal. TippingPoint then reports the vulnerability to the affected vendor.
The timing of this particular contest also offered TippingPoint a unique opportunity, noted Terri Forslof, manager of security response at TippingPoint. Apple had just released 25 patches for its Mac operating system, meaning that anything discovered during the contest "would be a new, previously unknown vulnerability," she told internetnews.com.
She defended how TippingPoint handled the contest, saying that the winning contestants knew they would only get paid if they played by the rules, which means only disclosing the flaw to the security vendor, which handles the disclosure to Apple.
Moreover, she said, the contest was going to go forward with or without the vendor's participation, and there would have been a lot of press attention in any case. She refused to comment on the wisdom of holding these kinds of contests, but said that flaws exist on all platforms and will eventually get found.
"I would just as soon see them discovered and reported to the vendors that are affected, regardless of the forum that that takes place in," she said.
Mogull, however, said that the contest almost allowed a vulnerability to get exploited, despite the precautions taken by CanSecWest. "TippingPoint cannot abdicate responsibility here. And if they do participate in this kind of contest, they need to understand that they're going to undergo criticism from industry experts like myself," he said.
The way TippingPoint handled the contest is a microcosm of how it buys vulnerabilities from hackers all over the world.
Forslof said that the ZDI portal allows TippingPoint to disclose more flaws to vendors than it would if it relied exclusively on its own staff because "we're able to tap into resources from all over the globe."
This practice is under attack from other security vendors, like IBM/ISS (Quote). Kris Lamb, director of the X-Force R&D team that does threat research for the vendor, said the practice of buying vulnerabilities "does raise a lot of questions that have been going on in private discussions for at least two years."
Lamb said that vendors like TippingPoint buy the vulnerabilities, validate them, disclose them to the affected software vendor, and then issue security alerts before anyone else.
"They can create the ruse that they are ahead of the threat, but they can only do that because they controlled the disclosure timing," he told internetnews.com.
Forslof disputed that assertion, saying TippingPoint buys vulnerabilities as a way of finding additional resources.
But Mogull said the practice of buying vulnerabilities is purely a marketing function. "Flat out they are doing this so they can offer zero-day protection for their product," he said.