Vulnerability auctions compromising security

Vulnerability auctions compromising security

Summary: A security firm has warned that the market trading in vulnerabilities is 'hotting up', at the expense of responsible disclosure

TOPICS: Networking

More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them "responsibly" to the vendor whose products are affected.

At a breakfast briefing organised by email security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting.

"I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under 'responsible disclosure' or pay off my mortgage, which one do I choose?"

Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder.

"The economy on the marketplace is facilitating the sale of everything you want, from custom Trojans to rootkit, and moving through to things like vulnerabilities, which are a marketable commodity," said Ingram.

Last week, security firm Finjan published evidence, which was compiled by the company's Malicious Code Research Centre, which showed examples of vulnerabilities being sold online.

Finjan's chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand — and therefore the price — goes up.

"The name of the game is money… we see a trend towards commercialisation of malicious code. Motivated by financial gain, hackers are honing their skills and becoming more ambitious, targeting the growing numbers of Internet users and stealing personal details and financial information, as well as compromising intellectual property," said Ben-Itzhak.

In Finjan's report, the company published screenshots of emails that seem to be already soliciting bids for vulnerabilities in Microsoft's IE 7 and Windows Vista, which is not going to be released until next year.

Topic: Networking

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Tip of the iceberg really. If I remember correctly it wasn't the tip of the iceberg that sunk the Titanic. Actually, it wasn't the impact with the iceberg that let to the Titanic disaster but rather a couple of system wide design flaws. And that might have had something to do with decision makers not listening to those pointing out possible problems but instead opt to label them as 'troublemakers'.