CSC 379 SUM2008:Week 3, Group 1
Markets for Bug Reports
As hackers are growing more in numbers and the that data software handles becomes more sensitive, the bugs that the software contains are becoming valuable assets. New legitimate markets are opening up where people who find an exploit or a bug in a program or network can sell it to the highest bidder. The most notable sites are TippingPoint and WSLabi. Currently, there is a black market for software and network exploits. Most of the time, hackers will sell the exploits they find to malware writers or to other hackers. What companies like WSLabi and TippingPoint are trying to do is make a legitimate market for hackers to sell their bugs and to try to reduce some of the bug black market. This also gives the company or system that these bugs belong to, to become aware of the security risks in their products.
See this article for more information on the software bug underground market.
Arguments For The Use of These Markets
- Software will become more secure. By rewarding individuals for their time and effort, people are given an incentive to expose and report more bugs. As these bugs are fixed, software becomes more robust and safer to use.
- They will make it easier to report a bug. Markets will facilitate people who would otherwise not come forward with bugs due to frustration with reporting them the software vendors in the past.[1]
There are concerns that companies in this line of business might sell their information to the highest bidder, which potentially means malware producers. But as the market grows, competition will force these companies to protect their reputations by regulating themselves. One example is Switzerland-based firm called WSLabi, which claims to screen its buyers. If the buyer seems legitimate, WSLabi will sell them the information and vouch for them in the future.
Arguments Against The Use of These Markets
- Being paid to find software bugs is morally questionable. Everyone uses software in some way or another, therefore everyone is affected by bugs. People should report any bugs that they find because it is to all people's benefit, not because they will make money out of it.
- The information can easily end up in the wrong hands. Not all companies will sell only to legitimate software vendors and producers.
Buying and selling bug reports may be a moot point in any event. While malware is a separate issue from programming bugs, it still poses a credible threat to computer security. Nearly all anti-virus software is signature-based, which means that it only detects malware that is already known to exist. However, malware producers can make new versions of viruses roughly every 45 seconds or so(page 2). There is also a growing underground economy for malware, and as it becomes larger and more sophisticated, so will the malware. Bugs can certainly be used by hackers and crackers to make it easier to break computer systems, but reporting them will barely slow down anyone with enough funds to buy the latest malware. No amount of money spent on a bug report will protect against virus code that doesn't require a security loophole.
Additional Links
- http://bits.blogs.nytimes.com/2007/07/06/a-new-market-for-software-flaws/#more-206
- http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/
- http://www.crn.com/security/201800238
- http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf
- http://news.cnet.com/Offering-a-bounty-for-security-bugs/2100-7350_3-5802411.html