There is an ongoing debate in the IT security community about whether or not it makes sense for software and hardware vendors to pay researchers for finding vulnerabilities. For some vendors like Mozilla and HP (NYSE:HPQ), rewarding researchers is a part of their security model. On the other hand, Microsoft has steadfastly kept to a policy of not paying those who uncover security holes. Networking giant Cisco (NASDAQ:CSCO) has more of a bartering system for rewarding researchers.
The different approaches help to illustrate how each vendor prefers to deal with the security research community. The bottom line though is that vendors all want to be informed of when their software is vulnerable; the only issue is how they work with researchers to actually get that information.
“There has been debate around this area for years, but it is naïve to think that the community it not going to grow and that we won’t produce more and more software and that vulnerabilities won’t increase in severity,” Dan Holden, director of DVLabs at HP TippingPoint, told InternetNews.com. “I think it is wise and responsible that any vendor that cares about the quality and security of their product works with the researcher community.”
DVLabs, the security research arm of HP’s TippingPoint division, runs the Zero Day Initiative (ZDI) effort that pays security researchers for finding vulnerabilities. The DVLabs group also runs the popular Pwn2own annual contest which offers rewards to researchers for finding browser and mobile bugs.
Holden said that overall, ZDI accepts about 30 percent of the vulnerabilities that are offered to them. Payment varies based on the severity and impact of the security bug that is submitted.
“We’re not in the vulnerability acquisition game just to acquire lot of vulnerabilities,” Holden said. “What we’re out to do is acquire the vulnerabilities we think are the most critical and pose the greatest risk to our customer base.”
Though TippingPoint buys the vulnerabilities in an effort to help secure the company’s Intrusion Prevention Systems (IPS)
“We want to give the research community a safe haven for vulnerability researchers, if they don’t want to have to deal with the software vendors themselves,” Holden said. “That’s why ZDI has become so popular with the research community. We have good relations with both researchers and vendors and everyone has discovered over the years that it is mutually beneficial for everyone involved.”
Among the vendors that TippingPoint’s ZDI deals with is browser vendor Mozilla. Mozilla also has its own effort to pay researchers for security flaws called the bug bounty program. The effort was recently expanded to provide a $3,000 payment for bugs up from $500.
Johnathan Nightingale, director of Firefox development at Mozilla told InternetNews.com that since the program started in 2004, Mozilla has paid out 120 bug bounties to 81 different researchers.
“We think that that program has been pretty great at drawing people into the Mozilla security community and getting them participating at helping to secure our users,” Nightingale said.
Overall, from Mozilla’s perspective, it does pay to pay for security vulnerabilities.
“It’s impossible to know how many security bugs would have been disclosed to us without the bug bounty program,” Nightingale said. “We think it works really well, though Microsoft has come out and said they won’t pay (for bugs), for us it has been a phenomenally successful program.”
Microsoft has a policy of not directly paying independent security researchers for security flaws. In an interview with InternetNews.com Jerry Bryant, group manager for Microsoft’s Trustworthy Computing Group, said that over 80 percent of the vulnerabilities that have been reported to Microsoft were done responsibly and there was no talk of payment. Bryant also noted that Microsoft does support security research by sponsoring numerous events and conferences.
Cisco’s bartering system
Networking giant Cisco (NASDAQ:CSCO), rewards some, but not all, security researchers for finding vulnerabilities.
“We appreciate security research, but different researchers want different things,” Cisco Chief Security Officer John Stewart told InternetNews.com.
For example, Stewart said some researchers just want an acknowledgment of their work, which may help them to grow their own security consulting businesses. Other researchers are looking for Cisco equipment to help them do more research.
“I’ve seen it down to T-shirts, where the researcher just wants a shirt they can’t seem to find and apparently Cisco is the only place to get it,” Stewart said.
“But we don’t want it for free either — we understand that researchers have bills they need to pay,” he added. “So there is a bartering system — can we aid the researchers work by giving them equipment, access to software or a tighter relationship with Cisco? I think that we’ve gotten success in that respect.”