17

If requesting payment from an affected party directly for the disclosure of vulnerabilities is considered extortion, how can independent security researchers earn a living or side income from researching security vulnerabilities?

Arminius
  • 43,922
  • 13
  • 140
  • 136
Nick
  • 423
  • 3
  • 10
  • 1
    Take a look here: https://code.google.com/p/it-sec-catalog/wiki/Heap#No_more_free_bugs –  May 25 '11 at 10:37
  • In extortion the payment is mostly for not publicly disclosing the vulnerability, not so much for its private disclosure. If you would just ask money for private disclosure without threatening exploiting it or public disclosure, I would not think of it as extortion. – beetstra May 26 '11 at 12:53
  • 1
    See also [Ethics and economy in security research - IT Security - Stack Exchange](http://security.stackexchange.com/questions/9005/ethics-and-economy-in-security-research), and another summary of No More Free Bugs at [Nibble Security: "No More Free Bugs" Initiatives](http://blog.nibblesec.org/2011/10/no-more-free-bugs-initiatives.html). But see the problems of this approach, and the **exploit derivatives** alternative market approach, at [exploit derivatives](http://security.stackexchange.com/questions/9005/ethics-and-economy-in-security-research/9060#9060) – nealmcb Nov 20 '11 at 15:58

3 Answers3

17

In the 'white' sense, the most well known companies that pay researchers to buy vulnerabilities or exploits are:

Certain companies like Mozilla and Google have established bug bounty programs - they buy vulnerabilities of their software themselves.

Charlie Miller (famous exploit developer) has written a small paper on the topic - it's an interesting read: The Legitimate Vulnerability Market: The Secretive World of 0-Day Exploit Sales (2007)

john
  • 10,968
  • 1
  • 36
  • 43
  • See also Digital Armaments: [Contribute Program](http://digitalarmaments.com/index.php/contribute.html) (though their web site problems don't put them in a good light....) – nealmcb May 25 '11 at 18:29
  • I didn't mention them because I personally don't really trust them. I've never heard of anyone submitting bugs to them.. Seems a little scamy, or shady at least. – john May 25 '11 at 18:35
  • Many thanks for this answer, john. Charlie Miller's paper is particularly interesting. He mentions [SNOsoft's Exploit Acquisition Program](http://snosoft.blogspot.com/2010/03/recent-news-on-forbes-about-our-exploit.html) as another potential marketplace. – Nick May 25 '11 at 22:13
  • @Nick, thanks for that, forgot about Netragard, I'll edit. Funny story, they started their program some years ago, then stopped it at 2008, then started it again last year. I think they are mostly brokers though, instead of circulating vulns to client lists or using them to create IDS signatures as tippingpoint does. Also they buy only full exploits (zdi buys vulns or exploits) – john May 25 '11 at 23:13
5

The bug bounty programs and competitions like pwn2own come to mind.

Would not be an exhaustive list but large companies that offer bug bounties:

Microsoft is a notable exception.

You could also get a research grant from Universities and the government.

Rakkhi
  • 5,783
  • 1
  • 23
  • 47
  • 2
    I think facebook doesn't 'buy' vulnerabilities just yet. Their CSO announced (a few days ago) that they'll start their bug bounty program within the year. – john May 25 '11 at 10:37
5

I'd say it has a lot do to with the order of operations:

Extortion:

  • find vulnerability
  • contact company and demand payment

Tiger Team:

  • contact company and negotiate contract
  • find vulnerabilities

Unless there's bug finding program set up already, attempting to find vulnerabilities and hacking look pretty much the same without a pre-existing contract.

I know a few independent/small company consultants who manage to make a living working as a tiger team for companies. I'd say the hardest part is getting the reputation, so you can make a case to the company that you should be the person they pay for this work.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58