If requesting payment from an affected party directly for the disclosure of vulnerabilities is considered extortion, how can independent security researchers earn a living or side income from researching security vulnerabilities?
Asked
Active
Viewed 2,887 times
17
-
1Take a look here: https://code.google.com/p/it-sec-catalog/wiki/Heap#No_more_free_bugs – May 25 '11 at 10:37
-
In extortion the payment is mostly for not publicly disclosing the vulnerability, not so much for its private disclosure. If you would just ask money for private disclosure without threatening exploiting it or public disclosure, I would not think of it as extortion. – beetstra May 26 '11 at 12:53
-
1See also Ethics and economy in security research - IT Security - Stack Exchange, and another summary of No More Free Bugs at Nibble Security: "No More Free Bugs" Initiatives. But see the problems of this approach, and the exploit derivatives alternative market approach, at exploit derivatives – nealmcb Nov 20 '11 at 15:58
3 Answers
17
In the 'white' sense, the most well known companies that pay researchers to buy vulnerabilities or exploits are:
- Zero Day Initiative (ZDI) by TippingPoint: http://www.zerodayinitiative.com/
- iDefense http://labs.idefense.com/vcp/
- iSight https://gvp.isightpartners.com
- SecuriTeam http://www.beyondsecurity.com/ssd.html
- Netragard http://snosoft.blogspot.com/2010/03/recent-news-on-forbes-about-our-exploit.html
- Several exploit research companies like COSEINC and Immunity also buy from researchers, although it's not advertised very much.
Certain companies like Mozilla and Google have established bug bounty programs - they buy vulnerabilities of their software themselves.
Charlie Miller (famous exploit developer) has written a small paper on the topic - it's an interesting read: The Legitimate Vulnerability Market: The Secretive World of 0-Day Exploit Sales (2007)
john
- 11,088
- 2
- 37
- 43
-
See also Digital Armaments: Contribute Program (though their web site problems don't put them in a good light....) – nealmcb May 25 '11 at 18:29
-
I didn't mention them because I personally don't really trust them. I've never heard of anyone submitting bugs to them.. Seems a little scamy, or shady at least. – john May 25 '11 at 18:35
-
Many thanks for this answer, john. Charlie Miller's paper is particularly interesting. He mentions SNOsoft's Exploit Acquisition Program as another potential marketplace. – Nick May 25 '11 at 22:13
-
@Nick, thanks for that, forgot about Netragard, I'll edit. Funny story, they started their program some years ago, then stopped it at 2008, then started it again last year. I think they are mostly brokers though, instead of circulating vulns to client lists or using them to create IDS signatures as tippingpoint does. Also they buy only full exploits (zdi buys vulns or exploits) – john May 25 '11 at 23:13
5
The bug bounty programs and competitions like pwn2own come to mind.
Would not be an exhaustive list but large companies that offer bug bounties:
Google: http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html
Facebook: https://www.facebook.com/security?v=app_6009294086
Microsoft is a notable exception.
You could also get a research grant from Universities and the government.
Rakkhi
- 5,823
- 1
- 25
- 48
-
2I think facebook doesn't 'buy' vulnerabilities just yet. Their CSO announced (a few days ago) that they'll start their bug bounty program within the year. – john May 25 '11 at 10:37
5
I'd say it has a lot do to with the order of operations:
Extortion:
- find vulnerability
- contact company and demand payment
Tiger Team:
- contact company and negotiate contract
- find vulnerabilities
Unless there's bug finding program set up already, attempting to find vulnerabilities and hacking look pretty much the same without a pre-existing contract.
I know a few independent/small company consultants who manage to make a living working as a tiger team for companies. I'd say the hardest part is getting the reputation, so you can make a case to the company that you should be the person they pay for this work.
bethlakshmi
- 11,686
- 1
- 29
- 59
-
In a sense programs like ZDI are also extortion: they also get money because vendors are afraid of getting hacked. – Ciro Santilli OurBigBook.com Nov 21 '14 at 18:25