IT Vendors Disagree on Paying for Security Holes

There is an ongoing debate in the IT security community about whether or not it makes sense for software and hardware vendors to pay researchers for finding vulnerabilities. For some vendors like Mozilla and HP (NYSE:HPQ), rewarding researchers is a part of their security model. On the other hand, Microsoft has steadfastly kept to a policy of not paying those who uncover security holes. Networking giant Cisco (NASDAQ:CSCO) has more of a bartering system for rewarding researchers.

The different approaches help to illustrate how each vendor prefers to deal with the security research community. The bottom line though is that vendors all want to be informed of when their software is vulnerable; the only issue is how they work with researchers to actually get that information.

“There has been debate around this area for years, but it is naïve to think that the community it not going to grow and that we won’t produce more and more software and that vulnerabilities won’t increase in severity,” Dan Holden, director of DVLabs at HP TippingPoint, told InternetNews.com. “I think it is wise and responsible that any vendor that cares about the quality and security of their product works with the researcher community.”

DVLabs, the security research arm of HP’s TippingPoint division, runs the Zero Day Initiative (ZDI) effort that pays security researchers for finding vulnerabilities. The DVLabs group also runs the popular Pwn2own annual contest which offers rewards to researchers for finding browser and mobile bugs.

Holden said that overall, ZDI accepts about 30 percent of the vulnerabilities that are offered to them. Payment varies based on the severity and impact of the security bug that is submitted.

“We’re not in the vulnerability acquisition game just to acquire lot of vulnerabilities,” Holden said. “What we’re out to do is acquire the vulnerabilities we think are the most critical and pose the greatest risk to our customer base.”

Though TippingPoint buys the vulnerabilities in an effort to help secure the company’s Intrusion Prevention Systems (IPS) and other security technologies, all the bugs are also responsibly disclosed to the affected software vendors as well.

“We want to give the research community a safe haven for vulnerability researchers, if they don’t want to have to deal with the software vendors themselves,” Holden said. “That’s why ZDI has become so popular with the research community. We have good relations with both researchers and vendors and everyone has discovered over the years that it is mutually beneficial for everyone involved.”

Among the vendors that TippingPoint’s ZDI deals with is browser vendor Mozilla. Mozilla also has its own effort to pay researchers for security flaws called the bug bounty program. The effort was recently expanded to provide a $3,000 payment for bugs up from $500.

Johnathan Nightingale, director of Firefox development at Mozilla told InternetNews.com that since the program started in 2004, Mozilla has paid out 120 bug bounties to 81 different researchers.

“We think that that program has been pretty great at drawing people into the Mozilla security community and getting them participating at helping to secure our users,” Nightingale said.

Overall, from Mozilla’s perspective, it does pay to pay for security vulnerabilities.

“It’s impossible to know how many security bugs would have been disclosed to us without the bug bounty program,” Nightingale said. “We think it works really well, though Microsoft has come out and said they won’t pay (for bugs), for us it has been a phenomenally successful program.”

Microsoft has a policy of not directly paying independent security researchers for security flaws. In an interview with InternetNews.com Jerry Bryant, group manager for Microsoft’s Trustworthy Computing Group, said that over 80 percent of the vulnerabilities that have been reported to Microsoft were done responsibly and there was no talk of payment. Bryant also noted that Microsoft does support security research by sponsoring numerous events and conferences.

Cisco’s bartering system

Networking giant Cisco (NASDAQ:CSCO), rewards some, but not all, security researchers for finding vulnerabilities.

“We appreciate security research, but different researchers want different things,” Cisco Chief Security Officer John Stewart told InternetNews.com.

For example, Stewart said some researchers just want an acknowledgment of their work, which may help them to grow their own security consulting businesses. Other researchers are looking for Cisco equipment to help them do more research.

“I’ve seen it down to T-shirts, where the researcher just wants a shirt they can’t seem to find and apparently Cisco is the only place to get it,” Stewart said.

“But we don’t want it for free either — we understand that researchers have bills they need to pay,” he added. “So there is a bartering system — can we aid the researchers work by giving them equipment, access to software or a tighter relationship with Cisco? I think that we’ve gotten success in that respect.”

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020