The world of publicizing vulnerabilities would be good fodder for a Matt Damon movie if the things being discussed were more tangible and a bit sexier than snippets of computer code. But it is an exciting world nonetheless: There is a lot of money on the table, and a hint of danger because one of the groups involved is comprised of real life bad guys.
There are several ways in which vulnerabilities are made known to the public: In some cases, security vendors employ researchers. In others, independent researchers who have found vulnerabilities bring them to security firms. There also are brokers who act as middlemen for the independents. Finally, there are individuals or groups who find vulnerabilities and use them for nefarious purposes, either alone or in league with criminal organizations.
Of course, no legitimate folks back the third option. Even brokers are controversial. This ZDNet post discusses the opinion of Gunter Ollman, the director of security strategy at IBM Internet Security Systems (ISS). Ollman doesn't buy into the idea that brokers -- and the bug hunters they represent -- are a legitimate link in the security chain. Ollman's own post is here. Another possibility -- one that we hope will be limited in scope -- emerged this summer when a Swiss firm, WabiSabiLabi (yes, it's difficult writing a serious post about a company with that name) opened what appears to be the first online auction site for security vulnerabilities. David Goldsmith, the president of Matasano Security, isn't clear on all the details of what WabiSabiLabi -- WSlabi for short -- is up to, but seems skeptical about the idea:
There are two parts: Is this particular implementation a good idea and the more general question of whether vulnerability markets and auctions are a good idea. In this particular case, there are some basic implementation problems. One of the things that is really challenging when trying to use the auction format for sale of vulnerabilities is that it is hard to explain what you have to someone and validate it without giving it away. [In the WSLabi case], it wasn't so hard for researchers to figure out what vulnerabilities were by just reading the description of the site, at least in a couple of instances.
Think eBay, but replace the bric-a-brac and old stereo equipment with treasure maps. The twist is that in order to convince users of the fact that map is legitimate, the seller has to include enough information to give cartographers a good idea of figuring out where the treasure for themselves.
Goldsmith echoes other researchers in raising an even more fundamental question: In an auction scenario, it seems that it will be extremely difficult to keep the code out of the hands of criminals. Put simply, if an individual or group wants code and feels that they can do something with it, they probably are savvy enough to evade whatever vetting mechanism the auctioneer has in place.
Traditionally, the path to a patch involves the discovery of a vulnerability and its posting at an online site such as Bugtraq. A source of conflict is the lag time between the discovery and when it is posted. In some cases, the vendor is given warning. In others, the news is released before a patch is ready. Said Goldsmith:
The difference between the first and second approaches is that the vendor may not be ready for information to come out. They may be learning about it at the same time as everyone else. I don't think it's the best thing because it doesn't give the vendor a chance to respond. Classically, [that approach would be taken if] the vendor is not responding to the researcher in the first place.
This Symantec blog posting looks at the history of Bugtraq by someone who was there. The author, Elias Levy, says that founders have tried to negotiate "a field full of moral land mines." The initial point was deciding whether it was right to even make vulnerability information available. One side of the argument said that it was a disservice to those who owned the software, while others said that the true state of security should be known, and that disclosing vulnerabilities would "kick start" research. History has shown that both sides had valid points, the Levy says.
Whether the topic is auctions, brokerages or other methods, there seems to be a large built-in gray area that probably isn't solvable to everyone's satisfaction. The system, however, seems to continue functioning. Said Goldsmith:
There are no clear answers. I've been on vulnerability disclosure panels for years. We have great conversations, but never walk away saying, "We solved that." I think the biggest difference over time is more people are looking for vulnerabilities. The number that are found is going dramatically up. As a result, there is more secure software, but also as a result, things may look like they're getting worse.
The bottom line is that how vulnerabilities are found and distributed is an area in which many querulous people operate, where a tremendous amount of money is at stake and where there are no absolute moral certainties. Indeed, it sounds a bit like a Matt Damon file after all.