By Dawn Kawamoto
Tuesday, August 07 2007 01:18 PM
URL: http://www.zdnetasia.com/news/security/0,39044215,62030518,00.htm

An upstart security research firm with a controversial business model is at the center of a debate over how software bugs should be disclosed.

Vulnerability Discovery and Analysis (VDA) Labs, founded in April by Jared DeMott, notifies software vendors of security bugs found in their software, as do many other security researchers.

But as part of VDA's business model, vendors are asked to pay for the bugs it discovers, or its consulting services, otherwise VDA threatens to sell the bug to a third party or make the details of the security flaw public.

DeMott, who has done work for the National Security Agency among other places, describes his business model as "edgy," while other security researchers see it as more akin to "extortion." The practice, in either case, veers from the more traditional ways bug hunters have worked with software vendors and security firms.

Just two weeks ago, LinkedIn, the popular social-networking site, got a taste of VDA's business practices, when the Michigan security company claimed it had found a critical security flaw in the LinkedIn Internet Explorer Toolbar.

"We've discovered an attack against the LinkedIn toolbar. If you are interested in the bug, we would like to give first right of refusal to purchase it. We'd also like to perform a more complete security audit of your products. We can help make the LinkedIn products more secure," DeMott stated in e-mail sent to LinkedIn on Jul. 10, as viewed by CNET News.com.

The e-mail continues: "If you wouldn't like to buy it then we are happy to resell or release as a full disclosure to help prevent security issues arising on end users servers. We strongly believe in keeping users safe. We are unique in that we give vendors a first chance at the bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA Labs Value add document attached. If you'd like to buy the bug we will provide working attack code, so that you can verify the bug, before you send the check."

VDA set a deadline of Jul. 17 and requested a payment of US$5,000.

After failing to receive a response from LinkedIn, DeMott sent two e-mails on the eve of the deadline. One served as a reminder that the deadline was looming, and the other stated the price had increased to US$10,000.

"Just developed the attack into a working exploit now. Call me," DeMott wrote in the e-mail.

Two days after the deadline passed and details of the security flaw and how to exploit it were published, DeMott sent another e-mail to LinkedIn.

"So, if your company policy is to not buy bug reports, would you be willing to sign up for consulting (with VDA) then? We could include this bug as part of the final report. I really just had to irresponsibly release this exploit," DeMott said in the e-mail.

LinkedIn declined to comment. The company has since patched the exploit identified by VDA.

DeMott, who confirmed he sent the e-mails, defended his company's business practices and noted it has protected users by issuing them a heads-up, and by prompting vendors to take action to patch the flaw.

He also pointed to the VDA Value document, which outlined his company's services and pricing.

"Our business model is a little edgy, but we never saw it as extortion or thought of it that way," DeMott said. "We wanted to do something that would really grab the vendor. The vendors don't make money patching products. They're more interested in selling products. We were afraid they would try to put us on the back burner."

Some software companies, for example, do not work with security researchers as a matter of policy, and only act on vulnerabilities if flagged by their customers.

Other security researchers are critical of VDA's business model.

"Anytime you have someone saying they have this, and that unless you give them money, they'll do that, that's extortion," said Frederick Doyle, director of VeriSign/iDefense Research Lab and a former police officer in the state of New York.

Johannes Ullrich, chief research officer for the Sans Institute, expressed similar sentiments.

Is it extortion?

"I think this is extortion, particularly if he threatens to release the bug publicly if he's not paid," Ullrich said. "You should not hold a bug hostage."

VDA is not alone in its business practices, said Terri Forslof, manager of Security Response for Tipping Point, which is owned by 3Com.

Forslof, who previously worked as security program manager for the Microsoft Security Response Center, said she came across similar situations about a dozen times during her stint at the software giant between 2000 to 2005.

"Most major vendors, including Microsoft, have strong corporate values and will not pay for vulnerabilities," Forslof said. "So, making that threat to pay me, or I'll harm your customers, is basically like extortion to them."

DeMott, however, said his company has had some success with its business model.

Over the past four months, the company has seen roughly half of potential customers agree to pay the bug bounty fee, and the other half reject the idea outright. And in one case, a company declined to pay the bug fee but then signed up for VDA's consulting services. To date, two companies have purchased the vulnerabilities that VDA discovered and patched them, DeMott said.

But Ullrich described such customers as "paying for protection."

"There are people who pay protection to the mob. It's really a protection racket," Ullrich said. "I can't see it as a legitimate business model."

Other business models
Bug bounty hunters have a variety of means to generate income, security researchers say.

Auction site WabiSabiLabi, where software companies and security vendors bid on such discoveries, emerged on the scene this summer, amid some controversy that the buyers of the vulnerabilities may be malicious attackers.

Since the Switzerland-based site was announced on Jul. 9, approximately 20 vulnerabilities have been posted on the auction, ranging in price from 200 to 2,600 euros (US$274 to US$3,564), Roberto Preatoni, WSLabis strategic director, said in an e-mail.

"You should take into account that this market just started, therefore we think it's needed to wait at least six months before seeing real values being expressed in it," Preatoni said.

Three vulnerabilities have been sold on the auction site, while six more are currently on the market as their auction time ticks down.

Other compensation methods for bug hunters have included landing lucrative contracts with software vendors to debug their products, and participating in ongoing formal bug reporting programs offered by Tipping Point, iDefense and the Mozilla Foundation.

Back in 2005, Tipping Point launched its program titled the Zero Day Initiative. The program pays money to security researchers for bugs and proof-of-concept code, or working exploits they discover.

Based on the severity of the vulnerabilities and extent to which they are distributed, Tipping Point will pay researchers based on a sliding scale. Forslof noted Tipping Point generally pays more if a researcher has taken the extra effort to develop proof-of-concept code.

"Based on the amount of money (DeMott) wanted for the bug and working exploit, it would have been in line with what we would have offered," Forslof said. "The amount of money he was asking for was not out of line--it's just the way he went about asking for it from LinkedIn."

Once Tipping Point buys bugs and exploits from security researchers, it then validates the information before passing it on to the software vendor for free. Tipping Point then writes filters for its Intrusion Prevention devices based on the information it has validated from the bug hunter.

iDefense, which operates the iDefense Vulnerability Contributor Program (VCP), has a similar concept. The main difference is iDefense, after validating the information and notifying the software vendor for free, uses the information to notify its own client base and build workarounds until the vendor develops a patch.

"The VCP provides researchers with ways to get legally paid for the research they do," Doyle said. He noted the payments can vary from a couple hundred dollars to as much as US$10,000.

The Mozilla Foundation, meanwhile, offers a US$500 bounty for every serious security bug found in its software.

DeMott said his VDA Labs is not wedded to its business model and may be open to tweaking it.

"If this business model is not panning out the way we had hoped, then we may focus on government or commercial contracts," DeMott said. "I certainly won't turn down a contract."