7

How can we design a market for information disclosure where individual security researchers may benefit economically in an ethical way?

Assume a market where the participants are governments, researchers (black and white), educational institutions, corporations, and non-profit non-governmental organizations.

What regulations or mechanisms would dampen profit for Black Hat individual researchers while allowing White Hat individual researchers to profit ethically?

What procedures or mechanisms would prevent abuse by governments where researchers reside or from companies for which researchers work?

this.josh
  • 8,843
  • 2
  • 29
  • 51
blunders
  • 5,052
  • 4
  • 28
  • 45
  • 4
    The question *might* be on-topic if you could flesh it out a bit and give it a more specific goal. Right now, it's extremely vague and subjective. – Iszi Nov 17 '11 at 18:48
  • There are a number of companies that buy bugs for legitimate (and ethical) purposes. http://www.zerodayinitiative.com/ is the first that comes to mind. – mikeazo Nov 17 '11 at 18:48

2 Answers2

6

There are a variety of approaches to promote the discovery and fixing of software vulnerabilities. The most common ways to provide compensation to researchers are bug bounties (run by vendors) and vulnerability brokers (who buy and sell information on vulnerabilities applicable to popular software). These are well described in A Comparison of Market Approaches to Software Vulnerability Disclosure (2006) by Rainer Böhme, but he notes that they are each badly flawed and don't lead to the kind of research investment or vendor engagement that we need to deal with the enormous problems of insecure software. The black-hat vulnerability brokers, who don't release the exploits to the vendors, pay much more (a factor of 10?) to black-hat researchers than the more ethical brokers do. The result is that a large fraction of the research goes underground and contributes to Internet insecurity rather than security.

I think that Böhme's proposal for exploit derivatives is a very promising form of market to explore, to achieve exactly what you're talking about. It gives researchers a way to make money by discovering a vulnerability without having to disclose it in a dangerous way. As Böhme writes:

consider a contract that pays its owner the sum of 100 EUR on, say, 30 June 2006 if there exists a remote root exploit against a precisely specified version of ssh on a defined platform. It is easy to issue this kind of contacts, since you would sell it as a bundle with the inverse contract that pays 100 EUR if the ssh program is not broken within the maturity. Then, different parties can trade the contracts on a electronic trading platform that matches bid and ask prices, settles the deals, and publishes the price quotes.

[This kind of market would attract a variety of groups of market participants:]

software users would demand contracts paying on breaches in order to hedge the risks they are exposed to due to their computer network.....

Software vendors could demand contracts that pay if their software remains secure as a means to signal to their customers that they trust their own system; or contracts that pay if their competitors’ software breaks.....

software vendors [could] use exploit derivatives as part of their compensation schemes to give developers an incentive to secure programming....

Finally, security experts could use the market to capitalize effort in security analyses. If, after a code review, they consider a software as secure, they could buy contracts on the secure state at a higher rate than the market price.

They are an application of "Binary options" to security events. See Exploit Derivatives & National Security by Micah Schwalb for more details.

The main problem seems to be that various laws can be used in various jurisdictions to inhibit the flow of information about vulnerabilities, as Schwalb discusses, so that is something to work on, and he proposes an idea for enabling a pilot of this kind of market by making exceptions to the law for the emerging important but risky world of ipv6 vulnerabilities.

See other options, and more discussion on this site at: Progress in market approaches to software vulnerability disclosure? - IT Security - Stack Exchange

nealmcb
  • 20,544
  • 6
  • 69
  • 116
3

There are several sites that support ethical disclosure. The movement is often referred to as "No More Free Bugs"

A Google search for the same brought up this list of bounty/reward sites that seem legit, of course I can't vouch for all of them...

http://blog.nibblesec.org/2011/10/no-more-free-bugs-initiatives.html

Iszi
  • 26,997
  • 18
  • 98
  • 163
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    I presume "can" was meant to be "can't". FTFY. – Iszi Nov 17 '11 at 18:52
  • @Iszi - Thanks, still getting used to a new ergonomic keyboard – makerofthings7 Nov 17 '11 at 18:55
  • @blunders, there is another question devoted to this approach, with more insights: [Which companies facilitate payment in return for vulnerability disclosure? - IT Security - Stack Exchange](http://security.stackexchange.com/questions/4086/which-companies-facilitate-payment-in-return-for-vulnerability-disclosure) – nealmcb Nov 20 '11 at 15:55