Bug bounty program answers critics

Could hackers use TippingPoint signatures of paid-for flaws to reverse-engineer exploits?

The man who launched both of the security industry's major bug bounty programs Thursday defended the idea of paying for vulnerabilities, but also said he has responded to critics by putting a tighter lid on bug details to make sure they don't fall into the wrong hands.

Dave Endler, now the director of research at TippingPoint, a producer of intrusion-prevention systems (IPS) and part of 3com, created the company's Zero Day Initiative (ZDI) cash-for-crashes program in July 2005. In August 2002, Endler launched a similar company at iDefense, a security intelligence provider now owned by VeriSign.

ZDI, for instance, receives an average of about 40 new vulnerability submissions per month, and buys about one out of 10 submitted. ZDI does not disclose what it pays for a vulnerability, but it does run a "frequent-flier" kind of program that can pay out bonuses as high as $20,000 to top-ranked researchers. TippingPoint uses the vulnerabilities it buys to build signatures for its IPS wares, giving it a jump on the competition that it feels is worth what it pays since it can protect customers from not-yet-public flaws.

But from the moment Endler's brainstorms appeared, other security researchers and professionals lambasted the idea. That criticism hasn't stopped, although Endler said it has diminished. Even so, misconceptions about bounty programs like ZDI continue.

"Many have characterized it as paying hackers, and that's just not the case," said Endler. About 40% of ZDI's top researchers -- the program boasts more than 600 in its community of contributors -- work in the security industry, according to a poll TippingPoint conducted. Just 10% admitted that they would consider selling their findings to the cybercriminal underground if they were offered more money, the poll found.

"In the past few years, a growing research community has been created," said Endler. "And some of them don't want to be burdened with the disclosure process required by vendors. Some of them don't want, for example, to do the extra work that a vendor may ask for."

At and after the annual Black Hat security conference held two weeks ago in Las Vegas, however, critics again blasted bug bounties in general and ZDI in particular. In a Black Hat presentation, Robert Graham, co-founder of Errata Security, said that hackers can reverse-engineer the IPS signatures ZDI releases -- or any anti-malware signature -- and using that, piece together enough information to come up with a working exploit. Graham said at Black Hat that there was some evidence that suggested a pair of underground hacking groups used ZDI signatures to build zero-day exploits.

"We've seen no evidence of that," Endler said. "We have a lot of monitoring devices out there, and have picked up nothing. And we haven't heard anything from an affected vendor, which we would certainly expect."

Nevertheless, Endler said, TippingPoint made several changes to its signature distribution. "[Graham] pointed out a few areas of weakness, and we're working with [him]," said Endler. TippingPoint pushed an update to the operating system of the IPS products that completely changed the format and delivery mechanism of its signatures. "We also changed our model for distributing zero-day signatures," he added. "We removed them all from our products, and going forward, they'll be available only as an opt-in.

"We'll continue to release [zero-day signatures], but to a smaller circle. We'll know who [each recipient] is." TippingPoint has done additional vetting of customers who request the zero-day signatures to further tighten security.

Other researchers took post-Black Hat shots at ZDI. In a posting to the IBM Internet Security Systems (ISS) blog, Gunter Ollmann, director of ISS's X-Force research lab, seconded Graham's criticisms of TippingPoint's bounty program. He also took exception to TippingPoint claims that ZDI gives advance notice of its findings to other security vendors, as well as its justifications for the program.

"As far as I'm concerned, these 'justifications' of theirs are a load of bollocks," Ollmann said, adding that ISS has never been given advanced notice by TippingPoint.

Endler declined to respond directly to Ollmann's charges, but did say TippingPoint shared its bought-and-paid-for zero-day vulnerabilities with any legitimate security vendor. "We would be more than willing [to share with ISS," said Endler. "They just have to ask for it.

"In a lot of ways, [disagreements over paying for vulnerabilities] comes down to a philosophical debate about disclosure," Endler said. But there's another element to the criticism of ZDI, and other bounty programs, he said. With the explosion in security research tools, the bar's been dramatically lowered for entry into the vulnerability hunting community.

"That's a good thing for us, because it expands the research community. There are all that many more potential researchers looking for vulnerabilities." Critics, he said, are usually old-school researchers, who made their bones in the field long before the number of discovered and disclosed vulnerabilities -- and competition for them -- climbed.

"Many of these people are just living in the past," Endler said.

Show Comments