Cold cash for hot flaws causing security rift

Bug disclosure has become a lucrative business for vulnerability researchers, but controversy ensues when one refuses to turn over results to Google

In the past, a vulnerability researcher who found a significant software security flaw had two choices: Freely give the vulnerability to the developer to fix, or publicly report the vulnerability as a way to force the developer to respond.

The math behind vulnerability disclosure has changed slightly as third-party security firms -- and some software vendors themselves -- started offering cold cash for hot flaws. At first, the rewards were small: Paying $500 for a critical issue in a Web browser is a bargain for the software developer. However, the value of security vulnerabilities has changed the options available to researchers. This week, for example, Google paid $60,000 for a vulnerability in its Chrome browser -- the highest bounty paid to date by a software firm.

Yet even tens of thousands of dollars is not necessarily fair value for a critical vulnerability, as demonstrated by a rift over the Pwn2Own hacking conference. Google pulled its sponsorship of this week's annual contest at the CanSecWest security conference because the organizers refused to require that researchers give up information on the vulnerabilities they use to compromise software.

"If someone comes up to us and says they have two bugs, and they only wanted to turn over one -- we think that's OK," says Aaron Portnoy, manager of the security research team at TippingPoint, the subsidiary of Hewlett-Packard that runs the Pwn2Own tournament. "Google would turn away researchers if they did not get both. We didn't think that is the best way to get bugs fixed."

At the heart of the controversy is security and offensive-technology firm Vupen. The French company has publicly stated it would not give up the vulnerability information that allows its software -- used by professionals that test corporate security as well as military and intelligence services -- to compromise target computers. It's just too valuable, says Chaouki Bekrar, CEO and head of research for the firm.

On Wednesday, the company's team used the vulnerabilities and its software to compromise a computer running Google's Chrome. The attack consisted of two separate exploits: one that bypassed defensive measures in Windows to execute its code, and another that broke out of the browser's last line of defense, the sandbox that normally prevents programs from the Internet from impacting the operating system. Yet Vupen turned over only the information on the code execution bug.

"Sandbox escapes are rare and very hard to find, thus we need to keep it alive as it is useful for our customers," Bekrar says.

Unsurprisingly, that philosophy does not wash well with Google.

"Chrome has tried to lead the industry in engaging with researchers who are interested in making users safer and making the Web a better place," says Travis McCoy, product manager for Chrome. "It is unfortunate that some in the security community don’t have their interests aligned with making the world a better place."

This story, "Cold cash for hot flaws causing security rift," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.