InfoWorld Home / Security Central / Security Adviser / Should we pay hackers to find bugs?
April 17, 2009

Should we pay hackers to find bugs?

Finding software security exploits is hard work, and far more lucrative for bad guys

| Print | 5 comments|
985 Recommendations

Dr. Charlie Miller, famous Mac hacker, announced at this year's CanSecWest hacking contest that he would no longer be releasing exploits for free, to the vendor or anyone else. Further, Charlie and a few friends have started a "No More Free Bugs" campaign, which even has its own logo.

I've met and very much respect Charlie Miller, and I believe his intentions are good. He just wants to make a living doing what he is good at. The services he provides are valuable, to the software vendor and to us all. Still, I'm bothered by one nagging question: Will or won't Charlie sell his bug findings to parties with malicious intentions? He hasn't yet made a clear, definitive statement on that. I suspect he won't, but for now, I don't know for sure.

[ It took Charlie Miller only 10 seconds to crack the Mac at CanSecWest. Now he says he's found a way to trick the iPhone into enabling shell code. ]

I feel for Charlie and other truly elite, well-intentioned hackers like him. I've met many of them over the last 20 years, and I know that discovering vulnerabilities isn't the easiest way to make a living. I've known talented hackers who provided independently found exploits to the vendor and were offended when the vendor didn't want to pay them for their hard work. I've seen these initially well-intentioned hackers begin multiyear vendettas against the vendor, who they purportedly wanted to work for, by announcing bug after bug in retaliation. I've seen scorned hackers sell bugs to competitors and beat up the vendor in the press.

Penny in a haystack
Selling exploits is a money-making opportunity like never before, especially if you're a black hat. A hacker that doesn't care who gets his exploit can sell a decent vulnerability finding for a widely distributed software program for $5,000 or more. Prices on the black market are hard to find, but I've seen offers for up to $100,000 for a remote buffer overflow exploit against Windows Server 2003. Considering that multiple crimeware syndicates are making tens of millions of dollars, or more, a price of tens of thousands of dollars for a well-coded exploit is pretty cheap in the grand scheme of things.

Related Content...

White Paper

D2D Virtual Tape Library Replication Primer

This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.

Download now »

White Paper

An Alternative to Virtualization for Datacenter Cost Savings

Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.

Download now »

White Paper

Why Your Firewall, VPN, and IEEE 802.11i Aren't Enough to Protect Your Network

The emergence of WLANs has created a new breed of security threats to enterprise networks.

Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation

Download now »

White Paper

Bringing the Edge to the Data Center

Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.

Download now »
5 of 5 comments
Sign In or Register to comment
right_wing_conservative_republican 17-Apr-09 9:01am
1 reply
Hackers should not be paid to find bugs. Instead, when caught, they should be held within an inch of their lives if the don't release their known exploits. Hacking is, most certainly, taking its toll on our already ailing economy in terms of lost productivity across all areas of IT.
ctryon 17-Apr-09 1:45pm
Hackers shouldn't be paid to find bug? How about Quality Control Professionals shouldn't be paid to find bugs? Did you even read the article? On one hand, yes, this is sort of greying the line between "black hat" and "white hat" hackers, but on the other hand, these people are freaking professionals! For the most part, they are smarter than you or I could ever hope to be. If the crooks are out there working for $5,000 to $100,000 per exploit, it somehow seems like that's the true value of a discovered exploit, and the companies that put the crappy software out there in the first place should be ready to pay a healthy pile of shinys to compensate these professionals for their work. I'm no fan of Unions as they exist today, but perhaps this is just the kind of lopsided relationship they were originally designed to address. The original union organizers weren't (for the most part) crooks. They were just honest Joe's trying to get together so they could effectively stand up to the much more powerful land owner owners and corporations that were taking advantage of them. The situation is pretty similar here. They are highly skilled people doing something that only a few people are really capable of doing, and they deserver to be compensated. (Hey! Skim about 0.1% off the CEO's annual bonus, and they would have Plenty of money to pay these guys!!)
MAS 17-Apr-09 9:18am
In new Jersey, you must pay an attendant to pump your own gas. In the IT world, you pay for hardware, software, and support. Intellectual property and labor is worth something to everyone else, so why shouldn't this apply to technicians working on faulty and defective software. So if the technician is a "hacker", does that make their time and effort worth any less? What is the material difference between intellectual property of a "hacker" and anyone else? Just a thought: Perhaps "hackers" could obtain patents on the fixes to the software/hardware/system instead? Then they could file an injunction if someone fixes their buggy system. (More rediculous things happen now!) Oh my!
wizodd 17-Apr-09 2:13pm
"Hackers should not be paid to find bugs. Instead, when caught, they should be held within an inch of their lives if the don't release their known exploits. Hacking is, most certainly, taking its toll on our already ailing economy in terms of lost productivity across all areas of IT." LOL Thanks! That's the funniest thing I've read in WEEKS!!! You call yourself a conservative??!!! What about the free market? What about the real problem--people who continue to buy buggy software from companies that won't check their stuff before releasing it? Don't the purchasers deserve a product that is both safe and functional? The government and the individuals would drop like anvils from the sky on a car maker who put out anything as dangerously defective as most commercial software. And it's not CHEAP either, I've paid $500,000 and up for software that barely functioned and it was the BEST available of it's type. We don't fry mechanics who find flaws in cars, we shouldn't take the rights away from users who find problems either. How much is a bug worth? Depends upon the bug--those spelling errors and incorrect error messages aren't worth much, but how much does MS and it's customers stand to lose if an OS security hole is sold to the black hats? Millions? Billions? It is valuable information, and the owners have the right to do as they please with it--including give it to the manufacturer or sell it to the highest bidder. The industry and the users have a long, long history of being warned about security problems, and refusing to pay attention to the warnings. Remember ATMs? They were in the field in operation for months before any bank even bothered to insure them, and much longer before they encrypted the traffic. It's the economics of acceptable losses. If I were still hacking systems, and found a decent exploit, I'd send it to several attorneys certified mail, with instructions to hold them until called by the software company. Then when it broke in the news that the exploit existed, I'd send a letter to the company telling them to call the attorney and ask for their letter. Then it should be very easy to calculate EXACTLY what the time-value of that bug was. Besides, if you made it illegal, then a company which released a program with known vulnerabilities (unreleased) would be subject to both legal and civil claims. Frankly, I started trying to warn people about this stuff 35 years ago, and no one wanted to listen. Same with the 1999-2000 roll-over, management didn't become serious about it (except in the mortgage industry, which dealt with it decades earlier,) until the last 6 months, when they looked at the reports they'd been getting for months and months, and found out that, gee, 2000 was the end of NEXT quarter and they weren't ready. Whereupon most of them did exactly the wrong thing, and threw more manpower at the project, a fix known for decades to be ineffective at best, and counter-productive at worst. If the white-hats ever turned even gray, business world-wide would lose ordres of magnitude more than it does now, as most of the best hackers are also honest. (If they weren't, you would have seen banks being robbed in the late 70's by computer. The trick that cost Pacific Bank $12 million by wire transfer was trivial. And 9/11? Please, the ATC system is an antiquated joke, even after updating. Program a plane to fly anywhere if you can get in the auto-pilot--which these days is an entire computer system. A company that won't pay to put out quality work, deserves to have anything that can be done to them, done. You either pay up front, or you pay later--but you ALWAYS PAY. It's CHEAP to hire QA people. It's expensive to lose your life savings because you trusted a product with known defects. How much is an exploit against Server 2003 worth? 20-100x as much as the black hat offer. How much do the white hats want for that kind of information? A LIVING WAGE! Which is cheaper? Note that MS lost money on Vista & even on XP to Linux because MS has a really awful record for putting stuff out that has MAJOR bugs which the hackers usually locate in less than a month. Sooner or later, a government will decide that it is a crime to release software with certain types of bugs, just as every other product sold has some sort of safety requirement. MS just lost at least 80 million Pounds of UK government business to open-source freeware. More will follow, if only because of cash shortages. In the 60's programmers were very expensive, and machines were hideously expensive. Now, the same equipment level is hardly available, as the cheapest laptop out there is under $300 and does many times more things at much higher speed than any machine out of the 60's. Programmers are cheap. EXPERT programmers who write code that works without problems, are worth much, much more, but it is difficult to get any company to recognize that one person can be worth orders of magnitude more than another. A single hacker for one day can be worth more to your company than an IT department with 500 programmers for the year. If he/she is lucky, they might make 1% of that value, if they can get a job. I don't know if we've had any software hacks which killed yet, but we will. We've had errors which have destroyed millions of dollars worth of space-craft. Do you really think that all of the newly computerized equipment (down to and including your toaster,) won't get hacked? How do you prosecute someone who makes a car's GPS direct them into the lake from an unknown location? This is the same mentality that won't put in a stop sign unless someone dies, even when it is obviously dangerous not to have one. Finding exploits & bugs takes talent, education and time, all of which should be compensated, just like the butcher baker & candlestick maker. One hacker, actually using one exploit, can illegally make hundreds of millions and retire. Your answer is to force them to work for free? Bound to work. We've had marijuana illegal in the US for over 70 years and yet, somehow, it is still a top cash crop in all 50 states. We can't stop that, and most of it grows out in the open. How will you FIND, much less prosecute someone who refuses to release information that you don't even know they have?
akaChopper 20-Apr-09 1:51pm

This is a great idea; though it's not without problems, it should happen.

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Today's Headlines: First Look Newsletter

Find out what will be news for the day, with our first-thing-in-the-morning briefing.

White paper

Log Management: How to Develop the Right Strategy for Business and Compliance

This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.

Download now! »

White paper

The Essential Series: Security Information Management

Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.

Download now! »

White paper

Aberdeen: Choosing and Consuming Managed Security Services

Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.

Download now! »
©1994-2009 Infoworld, Inc.