Sunday, September 30, 2007

Zero Day Vulnerabilities Market Model Gone Wrong

It's one thing to allow legitimate buyers, presumably the affected vendors themselves to bid for a zero day vulnerability discovered within their products in order to provide financial incentive for the researcher that discovered the flaw, another to superficially increase the monetary value of a zero day vulnerability taking advantage of its vendor-added exclusiveness, but entirely another to position responsible disclosure as an exclusive courteousness. Here's a sample letter informing the company within whose products a vulnerability has been found, and yes, the ultimatum for not releasing it :

"We've discovered an attack against the LinkedIn toolbar. If you are interested in the bug, we would like to give first right of refusal to purchase it. We'd also like to perform a more complete security audit of your products. We can help make the LinkedIn products more secure," DeMott stated in e-mail sent to LinkedIn on July 10, as viewed by CNET The e-mail continues: "If you wouldn't like to buy it then we are happy to resell or release as a full disclosure to help prevent security issues arising on end users servers. We strongly believe in keeping users safe. We are unique in that we give vendors a first chance at the bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA Labs Value add document attached. If you'd like to buy the bug we will provide working attack code, so that you can verify the bug, before you send the check." VDA set a deadline of July 17 and requested a payment of $5,000."

I first mentioned the possibility of having a security researcher blackmail an affected party a long time ago, however, I never thought it would be a company with serious knowledge in the field that's setting ultimatums, doubling the requested amount for the vulnerabilities if the vendor delays the response and threatening to release a PoC in a full disclosure style. Getting paid for getting hacked in reverse order - getting hacked for not paying. However, the ugly reality goes that what's a zero day for the mainstream media today is last month's zero day for the underground that's been improving the chances of success of their targeted attacks against a specific company or an individual. That's of course in the rare cases when malware authors no longer keep it simple, the stupids.

Here's another article on this story. Image courtesy of eEye's Zero Day Tracker.