It’s one thing to discover vulnerabilities and report them, but to make it a contest? Research firm Gartner criticizes this very thing in a report released this week.
The report, which comes after a contest to discover a vulnerability on the Mac
platform, held at the CanSecWest security conference in Vancouver, led to
the public discovery of security flaws affecting all browsers on any
operating system running QuickTime 2. Apple has since patched the flaw.
Gartner analyst Rich Mogull, one of the authors of the report, said that
doing vulnerability research in public comes with “high risk.”
Other security contests, like “capture-the-flag” at the annual Black Hat
security conference, are tests of skills and don’t put systems at risk.
“Those are very different from trying to find a new vulnerability that
affects a major product line,” Mogull told internetnews.com.
The CanSecWest contest came with a $10,000 bounty, offered by network
intrusion prevention vendor TippingPoint, which routinely pays for
vulnerabilities that are reported through its Zero Day Initiative (ZDI)
portal. TippingPoint then reports the vulnerability to the affected vendor.
The timing of this particular contest also offered TippingPoint a unique
opportunity, noted Terri Forslof, manager of security response at
TippingPoint. Apple had just released 25 patches for its Mac operating
system, meaning that anything discovered during the contest “would be a new,
previously unknown vulnerability,” she told internetnews.com.
She defended how TippingPoint handled the contest, saying that the winning
contestants knew they would only get paid if they played by the rules, which
means only disclosing the flaw to the security vendor, which handles the
disclosure to Apple.
Moreover, she said, the contest was going to go forward with or without the
vendor’s participation, and there would have been a lot of press attention
in any case. She refused to comment on the wisdom of holding these kinds of
contests, but said that flaws exist on all platforms and will eventually get
“I would just as soon see them discovered and reported to the vendors
that are affected, regardless of the forum that that takes place in,” she
Mogull, however, said that the contest almost allowed a vulnerability to get
exploited, despite the precautions taken by CanSecWest. “TippingPoint cannot
abdicate responsibility here. And if they do participate in this kind of
contest, they need to understand that they’re going to undergo criticism
from industry experts like myself,” he said.
The way TippingPoint handled the contest is a microcosm of how it buys
vulnerabilities from hackers all over the world.
Forslof said that the ZDI portal allows TippingPoint to disclose more flaws
to vendors than it would if it relied exclusively on its own staff because
“we’re able to tap into resources from all over the globe.”
This practice is under attack from other security vendors, like IBM/ISS
(Quote). Kris Lamb, director of the X-Force R&D team that does
threat research for the vendor, said the practice of buying vulnerabilities
“does raise a lot of questions that have been going on in private
discussions for at least two years.”
Lamb said that vendors like TippingPoint buy the vulnerabilities, validate
them, disclose them to the affected software vendor, and then issue security
alerts before anyone else.
“They can create the ruse that they are ahead of the threat, but they can
only do that because they controlled the disclosure timing,” he told
Forslof disputed that assertion, saying TippingPoint buys vulnerabilities as
a way of finding additional resources.
But Mogull said the practice of buying vulnerabilities is purely a marketing
function. “Flat out they are doing this so they can offer zero-day
protection for their product,” he said.