An IBM security strategist wants software vendors to stop acknowledging companies and researchers who buy and sell security vulnerabilities.
Gunter Ollman, director of security strategy at IBM Internet Security Systems (ISS), believes there's no real accountability attached to the trading of vulnerability information by third party companies like iDefense and TippingPoint.
iDefense and TippingPoint have built business models around buying exclusive rights to software bugs and using the information to ship pre-disclosure signatures in IPS (Intrusion Prevention Systems) products. But, in Ollman's eyes, that model does not lend itself to accountability and actually adds an element of risk because IPS signatures can offer clues on zero-day vulnerabilities.
Ollman's comments (which he makes clear doesn't represent the corporate stance of his employer) follow a Black Hat conference presentation (.pdf) by Errata Security's Robert Graham of a technique to extract flaw information from IPS signatures.
"[These brokers] all make claims about how they make valuable contributions to the community – but let's face it, the net result is more vulnerability disclosures with more money going in to the coffers of anonymous bug-hunters -- and without any real accountability," Ollman said, arguing that the notion that brokers act as a "responsible conduit" for public disclosure is bogus.
In theory that sounds all fine and dandy, except for the simple fact that some people have been extracting the technical details of these pre-disclosure vulnerabilities from their products for quite some time. I guess you could say that the "Zero Day Initiative" has been a great source of zero-day exploits and bypasses for many people. Since its inception, professional pentest teams have been extracting the info and putting it to good use in penetrating their clients (and I wouldn't be surprised if less ethical hackers haven’t been doing the same).
He pointed to Graham's talk that discussed how shipping zero-day signatures can endanger
the market as a whole as well as the IPS customers using the pre-disclosure signatures.
Ollman makes no bones about his dislike for flaw-buying programs.
While I would love to see all these vulnerability purchase programs shutdown and disappear for evermore, I unfortunately think that the proverbial cat is out of the bag. So, in order to curtail the popularity of these schemes and the creation of more of them, I’d like to propose something to all those major software vendors and security organizations out there. Stop recognizing these irresponsible disclosers in your public vulnerability disclosures!
He suggests that vendors stop acknowledging a "vendor" that serves as a broker or purchaser of third-party vulnerability information within your alerts or advisories. He also proposes that software companies stop providing credit to bug-finders that sell or irresponsibly disclose a security problem.
Ollman also wants companies to stop acknowledging an alias or pseudonym for any researcher that discloses a vulnerability - even if they came to you directly. "Use real names only," he adds.
By withholding credit, Ollman thinks vendors can "remove the recognition and marketing vectors that these guns-for-hire and irresponsible brokering vendors seek to capitalize upon."