Monday, May 08, 2006

Shaping the Market for Security Vulnerabilities Through Exploit Derivatives

In a previous post "0bay - how realistic is the market for security vulnerabilities?" I gave a brief overview of the current market infomediaries and their position, listed various research I recommend you to go through, and speculated on an auction based market model.


During April, at the CanSecWest Security Conference "Groups argued over merits of flaw bounties" some quotes :

"The only economic model that does not make sense to me is the vendor's," Sutton said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay for them." - Michael Sutton



"What I can give people who find vulnerabilities is a small amount of fame. iDefense can give them $10,000." - Darius Wiles



"As a civil rights issue, selling vulnerabilities is just fine. As a keeping-the-customers safe issue, it's junk." - Novell director of software engineering Crispin



"If I come to you and offer to sell you a vulnerability in your product, I am going to be cuffed and arrested," he told the representatives of software makers on the panel." - Matthew Murphy



And the discussion is reasonably pretty hot with a reason. Back in January Microsoft expressed their opinion on the informediaries based market model like :



"One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, a spokesperson for Microsoft, based in Redmond, Wash., said paying for flaws is not the best way to secure software products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the spokesperson said in a statement sent to eWEEK. "



and while Microsoft talks about responsible disclosure, that's exactly the type of model I don't really think exist anymore. Peter Mell made a good point that "I don't support this activity. Basically, it enables third parties to unfairly focus attention on a particular vendor or product. It does not help security in the industry," Mell said in an interview with eWEEK." -- but it still offers the opportunity to bring order into the chaos doesn't it?



The WMF vulnerability apparently got purched for $4000 and I among the few scenarios that I mentioned were on vendors purchasing vulnerabilities and requested vulnerabilities, or a reverse model :



"requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?"



Coming across 0day vulnerabilities for sale, I also came across Rainer Boehme's great research on various market models, among them exploit derivatives. Have you ever though of using exploit derivatives, on the called "futures market"? I think the idea has lots of potential, and he described it as :



"Instead of trading sensitive vulnerability information directly, the market mechanism is build around contracts that pay out a defined sum in case of security events. For instance, consider a contract that pays its owner the sum of 100 EUR on say 30 June 2006 if there exists a remote root exploit against a precisely specified version of ssh on a defined platform."



The OS/Vendor/Product/Version/Deadline type of reverse model that I also mentioned is a good targeted concept if it were used by vendors for instance, and while it has potential to have a better control over the market, the lack of common and trusted body to take the responsibility to target Windows and Apple 50/50 for istance, still makes me think. The best part is how it would motivate researchers at the bottom line -- deadlines result in spontaneous creativity sometimes.

More on the topic of security vulnerabilities and commercializing the market, in a great article by Jennifer Granick (remember Michael Lynn's case?) she said that :



"I'm more concerned that commercialization, while it promotes discovery, will interfere with the publication of vulnerability information. The industry adopted responsible disclosure because almost everyone agrees that members of the public need to know if they are secure, and because there is inherent danger in some people having more information than others. Commercialization throws that out the window. Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem."



Who should be empowered at the bottom line, the informediaries centralizing the process, or the security researchers/vulnerability diggers starting to seek bids for their reseach efforts?

On the other hand, I think that the current market model suffers from a major weakness and that is the need for achieving faster liquidity if we can start talking about such.


Basically, sellers of vulnerabilities want to get their commissions as soon as possible, which is where the lucrative underground market easily develops. While I am aware of cases where insurers are already purchasing vulnerabilities to hedge risks until tomorrow I guess, anyone would put some effort into obtaining a critical MS vulnerability given a deadline and hefty reward, but who's gonna act as a social planner here?