Tweet
So, I've been poking around to find out what vulnerability and exploit selling programs are out there, what folks think about 'em, and what experiences folks have had.
I've long known at least something about ZDI (www.zerodayinitiative.com) and various bounties from a few individual software companies and a few bold programmers - and CERT, etc.
My experiences thus far bringing vulnerabilities to large companies (a few banks, a few software companies, and a hosting company) is that they (appear to) ignore them or stick their heads in the sand shamelessly. If they then receive nasty publicity, they round the wagons, and don't respond, or in one case launched a massive, expensive PR and lawyer-backed multi-year cover-up before fixing the bug. Often the problems don't get fixed for years - until the vulnerable system happens to be replaced with something completely new.
The vulnerabilities I find generally have put customers or customer information at risk and exposed the companies to serious liability. I find that lately, I'm tripping over vulnerabilities with increasing frequency. I haven't to date solicited or demanded compensation, but being altruistic has brought almost nothing but grief. (Only one large company and a few small companies handled my reports responsibly; none offered compensation, thanks or even acknowledgement were very rare.)
I haven't found much info, but a lot more than nothing. Here's a summary of what I found:
I tried searching here and found that
https://forum.defcon.org/showthread....ll=1#post72521
has a bad link that some admin with access to the 'Rules' account might want to fix. Of course, I did manage to do some searching anyway, and found
https://forum.defcon.org/showthread.php?t=10345 and https://forum.defcon.org/showthread.php?t=11924
http://www.pcworld.com/businesscente...ing_flaws.html was one of the better articles I found.
So, iDefense's program doesn't seem to be described on their site anymore; I wonder if it's working. ZDI seems to be alive and well. Major browsers and Google in general have active bounty programs.
Interestingly, I found http://blog.wslabi.com/ announcing it started providing a marketplace for security research in 2008 by selling the UTM OneShield Security appliance, which integrates a revenue sharing model for those security researchers who contribute their findings. In other words, you provide 'em with 0day signatures, and they share the revenue they get selling appliances that detect and block attacks using the signatures. But it looks stillborn - sites are up, but seem ... abandoned. Also, the vulnerabilities I find are usually in bespoke software, not OSes or packaged COTS software.
I hoped for but was unable to find any comparisons of or discussions about success or failure with specific bounty programs. Hoping to get that here, but shields up; I've had an account for a while, but this is my first post.
I've long known at least something about ZDI (www.zerodayinitiative.com) and various bounties from a few individual software companies and a few bold programmers - and CERT, etc.
My experiences thus far bringing vulnerabilities to large companies (a few banks, a few software companies, and a hosting company) is that they (appear to) ignore them or stick their heads in the sand shamelessly. If they then receive nasty publicity, they round the wagons, and don't respond, or in one case launched a massive, expensive PR and lawyer-backed multi-year cover-up before fixing the bug. Often the problems don't get fixed for years - until the vulnerable system happens to be replaced with something completely new.
The vulnerabilities I find generally have put customers or customer information at risk and exposed the companies to serious liability. I find that lately, I'm tripping over vulnerabilities with increasing frequency. I haven't to date solicited or demanded compensation, but being altruistic has brought almost nothing but grief. (Only one large company and a few small companies handled my reports responsibly; none offered compensation, thanks or even acknowledgement were very rare.)
I haven't found much info, but a lot more than nothing. Here's a summary of what I found:
I tried searching here and found that
https://forum.defcon.org/showthread....ll=1#post72521
has a bad link that some admin with access to the 'Rules' account might want to fix. Of course, I did manage to do some searching anyway, and found
https://forum.defcon.org/showthread.php?t=10345 and https://forum.defcon.org/showthread.php?t=11924
http://www.pcworld.com/businesscente...ing_flaws.html was one of the better articles I found.
So, iDefense's program doesn't seem to be described on their site anymore; I wonder if it's working. ZDI seems to be alive and well. Major browsers and Google in general have active bounty programs.
Interestingly, I found http://blog.wslabi.com/ announcing it started providing a marketplace for security research in 2008 by selling the UTM OneShield Security appliance, which integrates a revenue sharing model for those security researchers who contribute their findings. In other words, you provide 'em with 0day signatures, and they share the revenue they get selling appliances that detect and block attacks using the signatures. But it looks stillborn - sites are up, but seem ... abandoned. Also, the vulnerabilities I find are usually in bespoke software, not OSes or packaged COTS software.
I hoped for but was unable to find any comparisons of or discussions about success or failure with specific bounty programs. Hoping to get that here, but shields up; I've had an account for a while, but this is my first post.
Comment