Bug bounty program answers critics

Computerworld - The man who launched both of the security industry's major bug bounty programs today defended the idea of paying for vulnerabilities, but also said he has responded to critics by putting a tighter lid on bug details to make sure they don't fall into the wrong hands.

Dave Endler, now the director of research at TippingPoint, an Austin producer of intrusion-prevention systems (IPS) and part of 3com Corp., created the company's Zero Day Initiative (ZDI) cash-for-crashes program in July 2005. In August 2002, Endler launched a similar company at iDefense, a security intelligence provider now owned by VeriSign.

ZDI, for instance, receives an average of about 40 new vulnerability submissions per month, and buys about one out of 10 submitted. ZDI does not disclose what it pays for a vulnerability, but it does run a "frequent-flier" kind of program that can pay out bonuses as high as $20,000 to top-ranked researchers. TippingPoint uses the vulnerabilities it buys to build signatures for its IPS wares, giving it a jump on the competition that it feels is worth what it pays since it can protect customers from not-yet-public flaws.

But from the moment Endler's brainstorms appeared, other security researchers and professionals lambasted the idea. That criticism hasn't stopped, although Endler said it has diminished. Even so, misconceptions about bounty programs like ZDI continue.

"Many have characterized it as paying hackers, and that's just not the case," said Endler. About 40% of ZDI's top researchers -- the program boasts more than 600 in its community of contributors -- work in the security industry, according to a poll TippingPoint conducted. Just 10% admitted that they would consider selling their findings to the cybercriminal underground if they were offered more money, the poll found.

"In the past few years, a growing research community has been created," said Endler. "And some of them don't want to be burdened with the disclosure process required by vendors. Some of them don't want, for example, to do the extra work that a vendor may ask for."

At and after the annual Black Hat security conference held two weeks ago in Las Vegas, however, critics again blasted bug bounties in general and ZDI in particular. In a Black Hat presentation, Robert Graham, co-founder of Errata Security, said that hackers can reverse-engineer the IPS signatures ZDI releases -- or any anti-malware signature -- and using that, piece together enough information to come up with a working exploit. Graham said at Black Hat that there was some evidence that suggested a pair of underground hacking groups used ZDI signatures to build zero-day exploits.