CSC 379 SUM2008:Week 3, Group 1: Difference between revisions
Line 18: | Line 18: | ||
Buying and selling bug reports may be a moot point in any event. While malware is a separate issue from programming bugs, it still poses a credible threat to computer security. Nearly all anti-virus software is signature-based, which means that it only detects malware that is already known to exist. However, malware producers can make new versions of viruses roughly every 45 seconds or so | Buying and selling bug reports may be a moot point in any event. While malware is a separate issue from programming bugs, it still poses a credible threat to computer security. Nearly all anti-virus software is signature-based, which means that it only detects malware that is already known to exist. However, malware producers can make new versions of viruses roughly every 45 seconds or so[http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf (page 2)]. There is also a growing underground economy for malware, and as it becomes larger and more sophisticated, so will the malware. Bugs can certainly be used by hackers and crackers to make it easier to break computer systems, but reporting them will barely slow down anyone with enough funds to buy the latest malware. No amount of money spent on a bug report will protect against virus code that doesn't require a security loophole. | ||
== Additional Links == | == Additional Links == |
Revision as of 23:49, 25 July 2008
Markets for Bug Reports
Is it good to encourage the formation of a market for bug reports where people who find bugs could be paid for their efforts? How about the danger that hackers might outbid developers and use this information and exploit the bug to reek havoc on users of the application? Can this danger be avoided by regulating the market? How can such of regulation succeed in practice? What about the problem of markets in other countries? In response to these concerns should software companies establish a policy of refusing to pay for bug reports?
Background
There is a growing underground market for malware, which grows more sophisticated by the day.[1] As such, it is important for nonmalicious software developers to stay ahead. One method is to ensure that the code they produce contains as few security holes as possible. However, programmers are hardly perfect, and bugs will manage to slip through the cracks. It is therefore important that developers be made aware of these bugs as they are discovered. This page attempts to address the merits and demerits of paying third parties to do just that.
Arguments For The Use of These Markets
- Software will become more secure. By rewarding individuals for their time and effort, people are given an incentive to expose and report more bugs. As these bugs are fixed, software becomes more robust and safer to use.
- They will make it easier to report a bug. Markets will facilitate people who would otherwise not come forward with bugs due to frustration with reporting them the software vendors in the past.[2]
There are concerns that companies in this line of business might sell their information to the highest bidder, which potentially means malware producers. But as the market grows, competition will force these companies to protect their reputations by regulating themselves. One example is Switzerland-based firm called WSLabi, which claims to screen its buyers. If the buyer seems legitimate, WSLabi will sell them the information and vouch for them in the future.
Arguments Against The Use of These Markets
- Being paid to find software bugs is morally questionable. Everyone uses software in some way or another, therefore everyone is affected by bugs. People should report any bugs that they find because it is to all people's benefit, not because they will make money out of it.
- The information can easily end up in the wrong hands. Not all companies will sell only to legitimate software vendors and producers.
Buying and selling bug reports may be a moot point in any event. While malware is a separate issue from programming bugs, it still poses a credible threat to computer security. Nearly all anti-virus software is signature-based, which means that it only detects malware that is already known to exist. However, malware producers can make new versions of viruses roughly every 45 seconds or so(page 2). There is also a growing underground economy for malware, and as it becomes larger and more sophisticated, so will the malware. Bugs can certainly be used by hackers and crackers to make it easier to break computer systems, but reporting them will barely slow down anyone with enough funds to buy the latest malware. No amount of money spent on a bug report will protect against virus code that doesn't require a security loophole.
Additional Links
- http://bits.blogs.nytimes.com/2007/07/06/a-new-market-for-software-flaws/#more-206
- http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/
- http://www.crn.com/security/201800238
- http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf
- http://news.cnet.com/Offering-a-bounty-for-security-bugs/2100-7350_3-5802411.html