ISIS Blogs

I think it’s safe to say that 99% of the security community believes that developing exploits and then selling them to security vendors is a Bad Thing, yet, to me, no one seems concerned enough about this activity to develop a viable, alternative model. Application developers hate it when you won’t tell them what’s wrong with their product. Application users (ie. the general public) hate that they can’t fix their software even if they wanted to. Of course, every single user of technology on the planet could just subscribe to 15+ security vendors product lines to get notice of these things… The entire idea seems antithetical to our purpose for existence, if we had one, namely to help secure every technology on the planet so that people can extend and build new ones.

Exploit developers spend lots of time providing R&D services to application developers. In the past this service was provided for free, and value was derived from the relationship in terms of notoriety after a responsible disclosure was made. If you were popping Oracle left and right on full-disclosure you probably made a good amount consulting to large enterprises, giving talks, and doing custom development. I don’t think Fyodor is having any trouble with money right now!

Private vulnerability disclosure came about because security vendors were available to immediately gratify exploit developers with cash. Selling my exploit to ZDI removes the notoriety I’d gain from the relationship, but it adds a Mercedes SL-55. Additionally, ZDI takes on any liability from the disclosure that the individual exploit developer may have had to deal with. I can sell and forget, not worry about legal problems, and go home with a truckload of cash. In my opinion, it’s lazy and anti-social (sadly matching many of our personalities). Of course, this works for the vendor as well: they get to differentiate their product, charge higher prices, establish a brand in the hacker community, and so on.

As an exploit developer I’m now faced with a very [simple] choice. If I develop a high-profile exploit I can face years of difficult consulting to recoup my money, expose myself legally, and directly provide R&D services to an application developer I probably despise or I can directly sell my exploit to a security vendor for a boatload of cash and never have to worry about unwanted attention. The availability and the success of this practice has pushed most of the 0day market underground and the public has started to take notice.

My greatest fear is that private vulnerability disclosure is undermining the respect of our entire profession. The security community at large is starting to take notice that it’s the same people who are privately disclosing critical vulnerabilities on one side and attempting to secure the affected businesses on the other, and they are getting pissed. As time goes on, more people will view us as a dysfunctional and harmful community until it lands in our legislators laps to “make a law”. I don’t think I have to say that this is the last thing we want.

In 2008, we are at a critical juncture. This practice is still just gaining speed. We still have the opportunity to propose something different; something that preserves exploit developers ability to make money and preserves the public’s right to know. Acceptance of private vulnerability disclosure will only continue to rise among exploit developers and security vendors as time goes on. If we wait too long, this will become an unshakable cultural norm that we cannot stop and it will sabotage our credibility to all those who use the computer systems we are supposed to protect. The time to fix this is now.