"No more free bugs"? There never were any free bugs

"No more free bugs"? There never were any free bugs

Summary: Vulnerability researchers have always extracted value out of their work, even before there was a monetary value placed on exploits.Security researchers at last week's CanSecWest conference dramatically announced their new philosophy that software vulnerabilities should no longer be given away.

TOPICS: Security

Vulnerability researchers have always extracted value out of their work, even before there was a monetary value placed on exploits. Security researchers at last week's CanSecWest conference dramatically announced their new philosophy that software vulnerabilities should no longer be given away. The movement cites the existence of a marketplace for vulnerabilities and extensive paid QA departments at large software houses as their motivation for monetizing vulnerabilities. The security community, including the media, has been acting like this is some new turn of events.

The reality is far different. Vulnerabilities have always generated value for their creator, albeit in evolving ways over the past 20 years. You are kidding yourself if you think that they were always published for truly altruistic purposes.

Back in the day, oh, lets say up until the late 90's, two economic regimes governed the vulnerability space. The gift economy consisted of researchers giving away vulnerabilities in exchange for social capital and the expectation of reciprocity from other senior researchers. This was how rock stars were made in the underground. Simultaneously, there existed a barter economy for those who valued the long-term effectiveness of exploits against target systems over the social capital that could be gained by broadcasting the vulnerability's existence. The barterers traded exploits on the underground to build personal toolkits which can be used to take down arbitrary targets on the Internet. Anyone who reads this blog should know what the informal name of these two groups were.

The late 1990's arrived, and a burst of security startups came on the scene towards the tail end of the Internet bubble. People who wrote and released exploits were hired by these firms to write and release exploits, effectively serving as raw grist for the marketing department. The researchers were able to convert their accrued social capital to a full salary with benefits. The dominating logic for the firms at the time was that money was cheap, security talent is impossible to find, and vulnerability announcements is an attention-grabbing PR scheme that can be translated into qualified leads for services and products produced by the organization.

[The group that traded exploits rather than releasing them for social capital called this act "selling out." Those of us who got jobs called it "buying in."]

The early 2000's hit, along with a severe economic crunch for our industry. Security companies experienced a wave of M&A action, and many researchers either rode the acquisition out, ran off and started consultancies, or went back to school. Paid vulnerability research was cut as the individuals behind the work were put onto making products that could be sold rather than generating news for marketing departments.

There was still value in vulnerabilities; companies like iDefense showed it is possible to supply their internal intelligence and marketing operations by buying vulnerabilities on the open market, effectively creating a free market for vulnerabilities. The top researchers continued to release their findings on their own, as they could make more money from leads for their consulting services than iDefense was able to provide for the finding.

A few years later, criminals figured out how to make money off of compromised desktop systems operating in aggregate from a central control point, using techniques ranging from sending spam to keystroke logging to DDoS for hire services. Building these networks required either new exploits or social engineering attacks, which created the underground market for new vulnerabilities. Not surprisingly, the underground market paid far higher rates for products like a zero-day vulnerability against a fully patched Windows XP system than someone could get from the legitimate malware market.

Today, the best and brightest may say "no more free bugs", but they already have the social capital required to function in our industry, and can command high consulting fees. Up and comers like Nils can go to CSW and participate in P2O, given them a means of generating social capital while still making money. However, for non-headline generating vulnerabilities, people who are fresh to the scene will still hand out minor vulns to build personal reputation, and all the while can sell their most impressive findings to botnet builders on the underground.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Actually, many bugs were free bugs

    In that the people who found them reported them to the person who made the software with no intention of ever getting paid for them, thinking that they were doing a service.

    When they realized that some people (cough.... Microsoft) wouldn't fix the bugs unless they put them out into the wild where they could be used for malicious purposes or were told "Hey, I'm going to make this thing well known in X days, get off your butt and fix it!"......... they realized that "Why am I doing this just for the 'good of the community' when these businesses don't have the good of the community in mind? No, I'm going to try and get PAID for these things, either by selling the vulnerabilities or by charging the business in question for the details, which since they had to pay for the details, makes them more likely to push out a fix!"
    • Right. Which is why the guy who said

      "No more free bugs" mentioned that he wasn't going to tell Apple because Apple was paying people to find bugs, why should he do the same thing for Apple for free?

      So (cough.... Microsoft) wasn't even a factor in this story.
    • Maybe True before 2002 but not today.

      Microsoft 'saw the light' in 2002 with their trustworthy computing initiative which spawned WinXP SP2 (Firewall, DEP, etc...) and 'secure by default' settings in Microsoft software in general.

      The proof in this instance was that at P2O Microsoft was on there to see first hand the Internet Explorer exploitation... I hadn't read of any other companies checking in on their product at CanSecWest.
  • legitimate malware market.

    Did that phrase strike anyone else as a bit disconcerting.

  • RE: In-depth look at Windows 7

    Will it fall apart like a $300 install of Visyaaaa
  • Encouraging the black market?

    "all the while can sell their most impressive findings to botnet builders on the underground."

    Great reputation builder, there.

    I think the point of the conference talk "No more bugs for free" was to encourage software developers that they should work with vulnerability researchers instead of vilifying them or encouraging selling a vulnerability on the underground.

    Yes it's true that vulnerability disclosure can have a positive externality of credibility which "may" lead to a job; however, there are plenty of very important vulnerabilities which go unpatched in large part because credibility is often not worth enough to even bother.

    "hmmm. make $20/hour or report a vulnerability which may or may not benefit my career. Tough choice." (sarcasm)
  • Write a program that ends virus forever---

    And you'll be a billionaire overnight.That's incentive!
  • Old Scheme - new media

    "Ya see dose windows? A rock could break dem and we woda want dat to happen, wood we Vinny?"
    "Da, dats rite boss"
    "I tell you what I gonna do fer ya Pops. You pay me a small fee and I'll fix it so dos windows they no break, right Vinny?"
    "Da, dats rite boss"

    • That is awesome!

      And true! They say we laugh at things that make us uncomfortable. Well, I got a good laugh from that.
      I suspect that today Vinnie would be carrying an impact punch; easier to conceal than a rock.
  • so M$ feedback report when IE crashes is not free research? oh yeah,

    i see. we paid them for the oportunity to see how vulnerable the software is. i get it now.

    no more free lunch.

    not gonna pay for that privilege any more.



  • RE: My point of view

    I have reported dozens of bugs as a employee, and never got a cent from it, not a raise, nor a bonus. My name doesn't appear in the press releases.

    No, i'm not lucky enough to live in the first world.

    No, I can't afford to travel to meet people by myself and get a better job.
    I dont have enought money in the bank to start a enterprise, and anyway that would be stupid, in the third world startups only get penauts.
    I would like to have a job that allows me to have a car and a house, and then I would release the bugs for free. But right now I can't afford to do that.
    I'm sure this is the situation of dozen of security employees of third world enterprises.
    I've never sold a bug, but in the future I plan to start a family, so #nomorefreebugs, hell yeah.
  • RE:

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>