Fame, Trinkets and Cash

Taking place over the last week was the CanSecWest 2010 security conference, with their now annual Pwn2Own contest. For those that are unfamiliar, the Pwn2Own contest presents a number of devices usually consisting of mobile or cellular devices and laptops as targets and allows contestants to attempt to compromise them in some way. These targets are patched up through the most recent vendor patches, and if a contestant is able to Pwn (compromise) the device, they get to Own (keep) it. This is always a nice publicity stunt as the contest is widely publicized by it’s sponsor, providing researchers with some fame and a prize as a bit of a return on their invested effort researching vulnerabilities and developing exploits.  The Zero Day Initiative (ZDI) who sponsors the contest also offers to buy the vulnerabilities used by the winners and “responsibly disclose” them to the affected vendors, providing a bit of a cash incentive as well.

Over the past few years however, some things have drastically changed in the value and marketability of such vulnerabilities.

There has been a dramatic explosion in the size of the legitimate vulnerabilities market.  I personally did some research into this about five or six years ago, and there wasn’t much of an overt, legitimate market for selling vulnerability information and exploits.  This was about the time that iDefense’s Vulnerability Contributor Program had only been around for a couple years and TippingPoint’s Zero Day Initiative was just getting started.  The market was small, and other than these public buyers (among a couple others), unless you were well-connected and could find the other legitimate buyers that stayed well below the radar, or wanted to sell to organized crime, these buyers were pretty much your only options.

Since that time, the buyer pool has grown dramatically.  I took a fresh look at the market a couple of months ago when a blog post from SourceFire inadvertently drove people on both sides of the equation directly to my email inbox.  I mean really, who at DEFCON other than me fits that description???  I was both surprised and overwhelmed by the amount of interest I got from both buyers and sellers regarding a service that I wasn’t even providing.  Building upon that response, I decided to see how difficult it was to seek out additional buyers, which turned out to be not hard at all.  Finding researchers who want to be paid for their work is trivial.  This is a huge change in attitude and intention since I originally looked into the vulnerabilities market five or six years ago.

Over the period of time between these two bouts of research into the market which both had drastically different results, a lot of things have happened.  Multiple attempts have been made to sell exploits on eBay or create an open vulnerabilities auction site. Multiple private markets now exist. ZDI and iDefense are still going strong. Papers have been published and countless blogs and articles have been written on the subject. Brokers have begun offering their services.  The “No More Free Bugs” movement was born.  Overall, the vulnerabilities market has grown up a little.

While there is now a considerable financial incentive to sell their work rather than publicly disclosing it for a bit of fame and an acknowledgment in a vendor’s advisory, or holding onto their research until a conference comes around where they can win a bit of cash and a trinket or two, I really don’t know how long quality contestants will stay interested in such a contest.  The only thing that sets Pwn2Own apart from the other vendor bug-bounties, “hack our product” contests, and even the ZDI and iDefense programs themselves, is that they have done a decent job trying to provide somewhat reasonable cash prizes that don’t get scoffed at quite so easily alongside the trinkets.  This year the Pwn2Own contest touted $100,000 in cash and prizes, and I’m not trying to demean the prizes given away in the Pwn2Own contest, but when compared with the prices that the individual vulnerabilities used to compromise the two laptops could have fetched, describing iPhones and laptops as “trinkets” is more than appropriate in comparison.  I expect that Pwn2Own will continue to have to keep upping it’s game in the cash department to stay attractive as more and more researchers realize that they can get a much better return on their investment of effort in the vulnerabilities market and as vulnerability purchasing becomes more commonplace.  At least the contest seems to be prompting some vendors into releasing huge numbers of patches just before the contest, which is a good thing.

When it comes to the ethics and risks of such vulnerability sales, everyone must make their own decisions in such matters.  While some believe that disclosing a vulnerability to anyone other than the vendor, or the vendor via an intermediary such as ZDI, is absolutely wrong, others find nothing wrong with selling the vulnerability to the highest bidder, regardless of what that buyer might intend to do with it.  While these are obviously the two extremes, the recent sentencing of Jeremy Jethro for selling an exploit to the convicted TJX hacker who used it for nefarious purposes has set the precedent that selling an exploit to someone regardless of knowledge of their intentions could land you in legal trouble.  The upside to the current state of the vulnerabilities market is that today there are plenty of legitimate buyers to sell to if you put in some effort to find them, and such transactions can be made legally, contractually, without a lot of risk, and to buyers that have been vetted and their intentions are known and clear.  This is where using a broker can greatly assist someone in selling their work, as the broker’s entire purpose is to find their client the best price possible from the types of buyers that the seller is comfortable with.

For now I’m continuing to do more research into the market and vulnerability brokering, however so far the market seems quite viable and a potentially lucrative endeavor, should some random blog someday inadvertently “out” you as a vulnerabilities broker.  In the meantime, I’ll be happy to point anyone that asks, both buyers and green hats, in the right direction.

Leave a Reply