CSC 379 SUM2008:Week 3, Group 1: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
No edit summary
 
(30 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Markets for Bug Reports ==
== Markets for Bug Reports ==
Is it good to encourage the formation of a market for bug reports where people who find bugs could be paid for their efforts?  How about the danger that hackers might outbid developers and use this information and exploit the bug to reek havoc on users of the application?  Can this danger be avoided by regulating the market?  How can such of regulation succeed in practice?  What about the problem of markets in other countries?  In response to these concerns should software companies establish a policy of refusing to pay for bug reports?
As hackers are growing more in numbers and the that data software handles becomes more sensitive, the bugs that the software contains are becoming  valuable assets. New legitimate markets are opening up where people who find an exploit or a bug in a program or network can sell it to the highest bidder. The most notable sites are [http://www.tippingpoint.com/ TippingPoint] and [http://www.wslabi.com WSLabi]. Currently, there is a black market for software and network exploits. Most of the time, hackers will sell the exploits they find to malware writers or to other hackers. What companies like WSLabi and TippingPoint are trying to do is make a legitimate market for hackers to sell their bugs and to try to reduce some of the bug black market. This also gives the company or system that these bugs belong to, to become aware of the security risks in their products.


See [http://www.crn.com/security/201800238?pgno=1 this] article for more information on the software bug underground market.
== Arguments For The Use of These Markets ==
* ''Software will become more secure.'' By rewarding individuals for their time and effort, people are given an incentive to expose and report more bugs. As these bugs are fixed, software becomes more robust and safer to use.
* ''They will make it easier to report a bug.'' Markets will facilitate people who would otherwise not come forward with bugs due to frustration with reporting them the software vendors in the past.[http://news.cnet.com/Oracle-dragging-heels-on-unfixed-flaws%2C-researcher-says/2100-1002_3-5795533.html]
There are concerns that companies in this line of business might sell their information to the highest bidder, which potentially means malware producers. But as the market grows, competition will force these companies to protect their reputations by regulating themselves. One example is Switzerland-based firm called [http://www.wslabi.com WSLabi], which claims to screen its buyers. If the buyer seems legitimate, WSLabi will sell them the information and vouch for them in the future.
== Arguments Against The Use of These Markets ==
* ''Being paid to find software bugs is morally questionable.'' Everyone uses software in some way or another, therefore everyone is affected by bugs. People should report any bugs that they find because it is to all people's benefit, not because they will make money out of it.  Furthermore, the business practices of a select few exploit-sellers has been proclaimed tantamount to extortion, as in the case of a 2007 Start-up, [http://news.cnet.com/Bug-hunting-start-up-Pay-up%2C-or-feel-the-pain/2100-7350_3-6200489.html VDA Labs].
* ''The information can easily end up in the wrong hands.'' Not all companies will sell only to legitimate software vendors and producers. Also, some bug companies sell their bugs in an auction format. They claim that the main market for these bugs are security companies hoping to release updates to their software to prevent cracks in security from being exploited before their competitors can release the same fixes updates. However, there is nothing stopping a malware writer from outbidding the legitimate companies for a bug.
Buying and selling bug reports may be a moot point in any event. While malware is a separate issue from programming bugs, it still poses a credible threat to computer security. Nearly all anti-virus software is signature-based, which means that it only detects malware that is already known to exist. However, malware producers can make new versions of viruses roughly every 45 seconds or so[http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf (page 2)]. There is also a growing underground economy for malware, and as it becomes larger and more sophisticated, so will the malware. Bugs can certainly be used by hackers and crackers to make it easier to break computer systems, but reporting them will barely slow down anyone with enough funds to buy the latest malware. No amount of money spent on a bug report will protect against virus code that doesn't require a security loophole.
== Bug Economics ==
Traditional economic rules for buyer/seller relationships do not apply in a software vulnerability marketplace.  The key ingredients in any mundane economic transaction are buyers, sellers, and products, and in most cases each ingredient is imminently replaceable by a substitute.  That is, there are usually many sellers of the same product, or many available alternatives to a given product, and almost always more than one party interested in buying that product.  Each of these factors predictably govern prices negotiated for a transaction according to basic supply and demand curves.  In the case of software bug reports in the marketplace, there is only ''one'' product (and only one instance thereof), ''one'' seller (the bug identifier), and ''two'' prospective buyers—an exploitative party and the software vendor who stands to be victimized by that party.  That particular setup leaves software vendors prone to price extortion by the seller, or direct exploitation by malicious buyers; the unique condition is only complicated by the emergence of speculators, middle-men and other transactional intermediaries.
The [http://blogs.sun.com/bmc/entry/the_economics_of_software economics of software] in general, are not conventional (high fixed costs, negligible variable costs), and so incorporating the sub-market of bug reports as a ''cost of doing business'' into software product pricing schema, may further distort software prices.
[http://csdl2.computer.org/comp/proceedings/hicss/2004/2056/07/205670180a.pdf]
== Additional Links ==
* [http://news.cnet.com/Bug-hunting-start-up-Pay-up%2C-or-feel-the-pain/2100-7350_3-6200489.html Kawamoto, Dawn. Bug hunting start-up: Pay up or feel the pain. C|Net. Aug 3, 2007.]
* [http://blogs.sun.com/bmc/entry/the_economics_of_software Cantrill, Bryan. The Economics of Software (blog).  August 24, 2004.]
* [http://bits.blogs.nytimes.com/2007/07/06/a-new-market-for-software-flaws/#more-206 http://bits.blogs.nytimes.com/2007/07/06/a-new-market-for-software-flaws/#more-206]
* [http://bits.blogs.nytimes.com/2007/07/06/a-new-market-for-software-flaws/#more-206 http://bits.blogs.nytimes.com/2007/07/06/a-new-market-for-software-flaws/#more-206]
* [http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/ http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/]
* [http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/ http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/]
* [http://www.crn.com/security/201800238 http://www.crn.com/security/201800238]
* [http://www.crn.com/security/201800238 http://www.crn.com/security/201800238]
* [http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf]
* [http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf]
*[http://news.cnet.com/Offering-a-bounty-for-security-bugs/2100-7350_3-5802411.html http://news.cnet.com/Offering-a-bounty-for-security-bugs/2100-7350_3-5802411.html]
*[http://news.cnet.com/Offering-a-bounty-for-security-bugs/2100-7350_3-5802411.html Evers, Joris. Offering a bounty for security bugs. C|Net. Jul 24, 2005.]

Latest revision as of 17:51, 28 July 2008

Markets for Bug Reports

As hackers are growing more in numbers and the that data software handles becomes more sensitive, the bugs that the software contains are becoming valuable assets. New legitimate markets are opening up where people who find an exploit or a bug in a program or network can sell it to the highest bidder. The most notable sites are TippingPoint and WSLabi. Currently, there is a black market for software and network exploits. Most of the time, hackers will sell the exploits they find to malware writers or to other hackers. What companies like WSLabi and TippingPoint are trying to do is make a legitimate market for hackers to sell their bugs and to try to reduce some of the bug black market. This also gives the company or system that these bugs belong to, to become aware of the security risks in their products.

See this article for more information on the software bug underground market.

Arguments For The Use of These Markets

  • Software will become more secure. By rewarding individuals for their time and effort, people are given an incentive to expose and report more bugs. As these bugs are fixed, software becomes more robust and safer to use.
  • They will make it easier to report a bug. Markets will facilitate people who would otherwise not come forward with bugs due to frustration with reporting them the software vendors in the past.[1]


There are concerns that companies in this line of business might sell their information to the highest bidder, which potentially means malware producers. But as the market grows, competition will force these companies to protect their reputations by regulating themselves. One example is Switzerland-based firm called WSLabi, which claims to screen its buyers. If the buyer seems legitimate, WSLabi will sell them the information and vouch for them in the future.

Arguments Against The Use of These Markets

  • Being paid to find software bugs is morally questionable. Everyone uses software in some way or another, therefore everyone is affected by bugs. People should report any bugs that they find because it is to all people's benefit, not because they will make money out of it. Furthermore, the business practices of a select few exploit-sellers has been proclaimed tantamount to extortion, as in the case of a 2007 Start-up, VDA Labs.
  • The information can easily end up in the wrong hands. Not all companies will sell only to legitimate software vendors and producers. Also, some bug companies sell their bugs in an auction format. They claim that the main market for these bugs are security companies hoping to release updates to their software to prevent cracks in security from being exploited before their competitors can release the same fixes updates. However, there is nothing stopping a malware writer from outbidding the legitimate companies for a bug.


Buying and selling bug reports may be a moot point in any event. While malware is a separate issue from programming bugs, it still poses a credible threat to computer security. Nearly all anti-virus software is signature-based, which means that it only detects malware that is already known to exist. However, malware producers can make new versions of viruses roughly every 45 seconds or so(page 2). There is also a growing underground economy for malware, and as it becomes larger and more sophisticated, so will the malware. Bugs can certainly be used by hackers and crackers to make it easier to break computer systems, but reporting them will barely slow down anyone with enough funds to buy the latest malware. No amount of money spent on a bug report will protect against virus code that doesn't require a security loophole.

Bug Economics

Traditional economic rules for buyer/seller relationships do not apply in a software vulnerability marketplace. The key ingredients in any mundane economic transaction are buyers, sellers, and products, and in most cases each ingredient is imminently replaceable by a substitute. That is, there are usually many sellers of the same product, or many available alternatives to a given product, and almost always more than one party interested in buying that product. Each of these factors predictably govern prices negotiated for a transaction according to basic supply and demand curves. In the case of software bug reports in the marketplace, there is only one product (and only one instance thereof), one seller (the bug identifier), and two prospective buyers—an exploitative party and the software vendor who stands to be victimized by that party. That particular setup leaves software vendors prone to price extortion by the seller, or direct exploitation by malicious buyers; the unique condition is only complicated by the emergence of speculators, middle-men and other transactional intermediaries.

The economics of software in general, are not conventional (high fixed costs, negligible variable costs), and so incorporating the sub-market of bug reports as a cost of doing business into software product pricing schema, may further distort software prices.

[2]

Additional Links

Retrieved from "https://wiki.expertiza.ncsu.edu/index.php?title=CSC_379_SUM2008:Week_3,_Group_1&oldid=16080"