In the summer of 2005, Charlie Miller was working in his living room when he discovered a hackable vulnerability in a common species of server software. Miller knew he had found something dangerous. But until he offered his prize to a government agency five months later, he had no idea just how much it was worth.
"I asked for $80,000," he says. "When the guy on the phone agreed immediately without consulting his boss, I knew I should have asked for much more."
In fact, the unnamed agency eventually bargained the price for the information, an exploitable bug in the Linux server program Samba, down to $50,000. And what did the agency do with its newly purchased security hole? Miller received his check and didn't ask questions.
"They didn't buy it in order to patch it," Miller says. "I can speculate that it wasn't exactly used for the common good."
In pictures:
The top five digital threats to your business
7 ways your site can be sabotaged
Miller's experience, described in a paper he presented to the Workshop on the Economics of Information Security at Carnegie Mellon last June, highlights a growing problem in computer security. When the industry's ever-larger ranks of independent researchers find exploitable vulnerabilities in software, they're forced to price their discoveries on an ad hoc basis with no sense of fair market value. And even worse, independent researchers are often tempted to sell to the highest bidder, not the buyer most likely to use the data responsibly, or even one whose identity and motives are clear.
Today, several IT security companies are moving into that chaotic marketplace to broker a more equitable exchange of software bugs for dollars. These vulnerability traders argue that they're giving hackers a less harmful avenue to profit from their skills. But they also raise questions about where to draw the line in legitimizing an industry that some security professionals say borders on extortion.
In pictures:
More evil than Google?
Yar! why Web pirates can't be touched
The newest market-maker in the IT security field has a strange name: WabiSabiLabi. But the Chiasso, Switzerland-based company has a serious purpose: It offers an eBay-style Web auction platform for security bugs. Launched last Tuesday, the site is already auctioning off four exploitable software flaws, including one in Yahoo!'s instant messenger program, which has a minimum bid of 2,000 euros.
Even in a seemingly trivial program like Yahoo! Messenger, a vulnerability can be used to steal data from corporate or government servers, says WabiSabiLabi's Chief Executive Herman Zampariolo. He says the company performs background checks on all buyers to ensure that they have no record of criminal hacking. Bugs sold on the site are intended only for legitimate purposes like penetration testing.
Zampariolo notes that a small fraction of the site's 34,000 unique visitors have come from the U.S. military. Software companies themselves can also buy information about flaws in their own programs, but rarely do, for fear that offering a bounty would only draw more hackers to their products.
WabiSabiLabi, whose name combines a Japanese word for "imperfection" and a German abbreviation for "laboratory," tests each vulnerability to ensure it fits the seller's description, and in six months plans to begin charging a 10% commission for its services.
"The IT security market is totally based on finding vulnerabilities," says the company's strategic director, Roberto Preatoni. "But the industry doesn't properly value independent researchers. They're told that to be ethical, they must disclose their findings for free. It's like blackmail. We believe they should be able to profit from their work."
In pictures:
Five most expensive Web addresses
Web sites you must browse through
So does Adriel Desautels, whose company, Netragard, also buys and sells vulnerabilities, sometimes paying researchers as much as $200,000 for a single flaw. Desautels performs background checks on all clients and sees his company as a healthy alternative to the black market, which is always hungry for new ways to steal corporate secrets and credit card data.
But Dave Aitel, chief technology officer of another vulnerabilities broker called Immunity, says that security professionals will never be able to offer hackers as much money for software bugs as the bad guys. "It's hard to say no if the black market offers you $300,000," Aitel says. "But with us, at least you get a fair valuation and you know that we're bound by the law. The mafia tends to break your knees if they want a cheaper price."
In the eyes of some security professionals, Immunity and Netragard themselves are far from saintly: Neither company reports all of its vulnerabilities to the software's manufacturer upon acquiring them, since doing so would devalue the bugs they purchase. In other words, the vulnerabilities they buy stay often vulnerable, and so do the software's users.
3Com's Zero-Day Initiative, by contrast, always reports its bug-buying immediately. That means weaknesses are quickly patched, making users more secure but reducing the price the company can pay hackers. The Zero-Day Initiative won't say how much it offers for each vulnerability, but Miller estimates that the company pays a maximum of around $10,000 per flaw. That's not enough to have kept him from looking to more generous--and less virtuous-- buyers, Miller says.
According to IBM's X-force Research security team, that's one more reason that buying bugs, even with the intention of reporting them, is only encouraging an industry that thrives on extortion. "It's a false economy," says X-force's Team Manager David Dewey.
Dewey sorts hackers into three types: Blacks hats, white hats and gray hats. "The black hats will always sell to the highest bidder, which is the underground," he says. "The white hats aren't motivated by money. So the best you can do with a bug bounty program is sway some of the grays, at the expense of security technology as a whole."
Dewey argues that the money spent buying bugs from hackers could be better invested in full-time research teams: The only way to control a freelance hacker, he says, is to give him a job. But as the IT security field matures and becomes more mainstream, Dewey admits that more independent researchers than ever are flooding the software vulnerabilities market.
So how to keep them from selling their findings to the criminal underground?
"It can't be prevented," says Dewey. "As long as there are talented researchers and someone to pay them, it's going to keep happening. We just have to find the bugs first."