IBM security strategist: Stop crediting vulnerability brokers

IBM security strategist: Stop crediting vulnerability brokers

Summary: Gunter Ollman, director of security strategy at IBM Internet Security Systems (ISS), believes there's no real accountability attached to the trading of vulnerability information by third party companies like iDefense and TippingPoint.

SHARE:
TOPICS: Software, IBM, Security
5

An IBM security strategist wants software vendors to stop acknowledging companies and researchers who buy and sell security vulnerabilities.

Gunter Ollman, director of security strategy at IBM Internet Security Systems (ISS), believes there's no real accountability attached to the trading of vulnerability information by third party companies like iDefense and TippingPoint.

iDefense and TippingPoint have built business models around buying exclusive rights to software bugs and using the information to ship pre-disclosure signatures in IPS (Intrusion Prevention Systems) products. But, in Ollman's eyes, that model does not lend itself to accountability and actually adds an element of risk because IPS signatures can offer clues on zero-day vulnerabilities.

Ollman's comments (which he makes clear doesn't represent the corporate stance of his employer) follow a Black Hat conference presentation (.pdf) by Errata Security's Robert Graham of a technique to extract flaw information from IPS signatures.

[SEE: Remembering five years of vulnerability markets ]

"[These brokers] all make claims about how they make valuable contributions to the community – but let's face it, the net result is more vulnerability disclosures with more money going in to the coffers of anonymous bug-hunters -- and without any real accountability," Ollman said, arguing that the notion that brokers act as a "responsible conduit" for public disclosure is bogus.

In theory that sounds all fine and dandy, except for the simple fact that some people have been extracting the technical details of these pre-disclosure vulnerabilities from their products for quite some time. I guess you could say that the "Zero Day Initiative" has been a great source of zero-day exploits and bypasses for many people. Since its inception, professional pentest teams have been extracting the info and putting it to good use in penetrating their clients (and I wouldn't be surprised if less ethical hackers haven’t been doing the same).

He pointed to Graham's talk that discussed how shipping zero-day signatures can endanger

the market as a whole as well as the IPS customers using the pre-disclosure signatures.

Ollman makes no bones about his dislike for flaw-buying programs.

While I would love to see all these vulnerability purchase programs shutdown and disappear for evermore, I unfortunately think that the proverbial cat is out of the bag. So, in order to curtail the popularity of these schemes and the creation of more of them, I’d like to propose something to all those major software vendors and security organizations out there. Stop recognizing these irresponsible disclosers in your public vulnerability disclosures!

He suggests that vendors stop acknowledging a "vendor" that serves as a broker or purchaser of third-party vulnerability information within your alerts or advisories. He also proposes that software companies stop providing credit to bug-finders that sell or irresponsibly disclose a security problem.

[SEE: Will Microsoft buy software flaws? ]

Ollman also wants companies to stop acknowledging an alias or pseudonym for any researcher that discloses a vulnerability - even if they came to you directly. "Use real names only," he adds.

By withholding credit, Ollman thinks vendors can "remove the recognition and marketing vectors that these guns-for-hire and irresponsible brokering vendors seek to capitalize upon."

Topics: Software, IBM, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Like saying "Crime Stoppers" does not work!

    Although the idea of having to offer "rewards" for information on
    crimes or software bugs may be distasteful, the reality is that
    many times this is the ONLY way any information can be obtained.
    This is why Crime Stopper programs legally protect the identity
    of "informants".
    If Crime Stoppers refused to offer rewards and maintain anonymity
    of the informant the system wouldn't work.
    Sure, software is a business but the rules and motivations are
    similar.
    kd5auq
    • I agree. If software vendors actively...

      looked for their own issues with more resolve, we wouldn't need third parties to find the problems.

      Weak software is a big problem and the consumer needs someone to keep vendors from putting out trash. If the vendors were more concerned about merchantability this would be a non-issue.
      bjbrock
  • Well, IBM sec strategist can want what he wants

    but unless he threatens to have some of their IBM servers held hostage, what he'll get is some minutes of note and the world returning to status quo.
    Boot_Agnostic
  • Strategy it's not..

    I'd say more appropriately we should stop crediting this guy with being a security strategist.
    --Ollman also wants companies to stop acknowledging an alias or pseudonym for any researcher that discloses a vulnerability - even if they came to you directly. ?Use real names only,? he adds.--
    Strategically, he's suggesting that vendors take a step backwards in time towards the movements that have been made in a positive direction towards working with the security research community AKA "hackers".
    I could care less where the vuln comes from, as long as it comes to me. I'd be happy to credit Ollman's dog if it would allow me to patch my users, instead of the bug ending up in the black market.
    What's that I hear?? Competitive whining? Funny how all the outcry around this topic comes from 2 former and 1 current ISS employee. Hmmmm.....
    --Since its inception, professional pentest teams have been extracting the info and putting it to good use in penetrating their clients --
    I'll bet you have been, Mr. Ollman and your ISS buddies. ;-)
    securitycat
  • Not getting off that easy

    This always strikes me as funny:
    "Ollman?s comments (which he makes clear doesn?t represent the corporate stance of his employer) follow a Black Hat conference .."
    Your opinions DO absolutely represent the stance of your employer, when they are put forth on a corporate blog, or any other communication medium of your company.
    You don't get to have it both ways.
    As a customer of this employer, I read the blog to try and stay updated on relevant technical information- not be blasted with personal rhetoric from an employee who is digruntled with a competitor. It's unprofessional, as well as hypocrytical in my opinion.
    As far as I recall, one of the major sales points to this product was the Zero Day protection that I was supposed to be getting due to the efforts of the "elite" internal XForce hacking team. To the best of my knowledge, that protection has not changed. So this is a little like the pot calling the kettle black- you just ship your Zero Day Protection on a much smaller scale then your competitor, but you still claim to provide it last I checked.
    If you do not want your opinions to represent those of your employer, then find a different place to share them other than your employers blog, which is read by your customers.
    GlenMarks