CSC 379 SUM2008:Week 3, Group 1
Markets for Bug Reports
As hackers are growing more in numbers and the that data software handles becomes more sensitive, the bugs that the software contains are becoming valuable assets. New legitimate markets are opening up where people who find an exploit or a bug in a program or network can sell it to the highest bidder. The most notable sites are TippingPoint and WSLabi. Currently, there is a black market for software and network exploits. Most of the time, hackers will sell the exploits they find to malware writers or to other hackers. What companies like WSLabi and TippingPoint are trying to do is make a legitimate market for hackers to sell their bugs and to try to reduce some of the bug black market. This also gives the company or system that these bugs belong to, to become aware of the security risks in their products.
See this article for more information on the software bug underground market.
Arguments For The Use of These Markets
- Software will become more secure. By rewarding individuals for their time and effort, people are given an incentive to expose and report more bugs. As these bugs are fixed, software becomes more robust and safer to use.
- They will make it easier to report a bug. Markets will facilitate people who would otherwise not come forward with bugs due to frustration with reporting them the software vendors in the past.[1]
There are concerns that companies in this line of business might sell their information to the highest bidder, which potentially means malware producers. But as the market grows, competition will force these companies to protect their reputations by regulating themselves. One example is Switzerland-based firm called WSLabi, which claims to screen its buyers. If the buyer seems legitimate, WSLabi will sell them the information and vouch for them in the future.
Arguments Against The Use of These Markets
- Being paid to find software bugs is morally questionable. Everyone uses software in some way or another, therefore everyone is affected by bugs. People should report any bugs that they find because it is to all people's benefit, not because they will make money out of it. Furthermore, the business practices of a select few exploit-sellers has been proclaimed tantamount to extortion, as in the case of a 2007 Start-up, VDA Labs.
- The information can easily end up in the wrong hands. Not all companies will sell only to legitimate software vendors and producers. Also, some bug companies sell their bugs in an auction format. They claim that the main market for these bugs are security companies hoping to release updates to their software to prevent cracks in security from being exploited before their competitors can release the same fixes updates. However, there is nothing stopping a malware writer from outbidding the legitimate companies for a bug.
Buying and selling bug reports may be a moot point in any event. While malware is a separate issue from programming bugs, it still poses a credible threat to computer security. Nearly all anti-virus software is signature-based, which means that it only detects malware that is already known to exist. However, malware producers can make new versions of viruses roughly every 45 seconds or so(page 2). There is also a growing underground economy for malware, and as it becomes larger and more sophisticated, so will the malware. Bugs can certainly be used by hackers and crackers to make it easier to break computer systems, but reporting them will barely slow down anyone with enough funds to buy the latest malware. No amount of money spent on a bug report will protect against virus code that doesn't require a security loophole.
Bug Economics
Traditional economic rules for buyer/seller relationships do not apply in a software vulnerability marketplace. The key ingredients in any mundane economic transaction are buyers, sellers, and products, and in most cases each ingredient is imminently replaceable by a substitute. That is, there are usually many sellers of the same product, or many available alternatives to a given product, and almost always more than one party interested in buying that product. Each of these factors predictably govern prices negotiated for a transaction according to basic supply and demand curves. In the case of software bug reports in the marketplace, there is only one product (and only one instance thereof), one seller (the bug identifier), and two prospective buyers—an exploitative party and the software vendor who stands to be victimized by that party. That particular setup leaves software vendors prone to price extortion by the seller, or direct exploitation by malicious buyers; the unique condition is only complicated by the emergence of speculators, middle-men and other transactional intermediaries.
The economics of software in general, are not conventional (high fixed costs, negligible variable costs), and so incorporating the sub-market of bug reports as a cost of doing business into software product pricing schema, may further distort software prices.
Additional Links
- Kawamoto, Dawn. Bug hunting start-up: Pay up or feel the pain. C|Net. Aug 3, 2007.
- Cantrill, Bryan. The Economics of Software (blog). August 24, 2004.
- http://bits.blogs.nytimes.com/2007/07/06/a-new-market-for-software-flaws/#more-206
- http://www.techcrunch.com/2007/07/06/hackers-ebay-legitimate-marketplace-or-organized-blackmail/
- http://www.crn.com/security/201800238
- http://www.fstc.org/docs/articles/messaglabs_online_shadow_economy.pdf
- Evers, Joris. Offering a bounty for security bugs. C|Net. Jul 24, 2005.