Extortion or Payment
Ever since Microsoft posted a rather well-thought out comment on sla.ckers.org asking that people use responsible disclosure methods and talk directly with Microsoft, there has been a bit of a debate raging about disclosure compensation. It seems fairly split that people feel that they should or should not be allowed to request compensation or some sort of monetary remuneration for finding exploits in a website and disclosing it responsibly.
Half seems split feeling that if it’s not the company who pays it will be some other group of malicious people who will pay for it. This flies in the face with the concept of responsible disclosure, as the company would have to get close or beat the asking price of the malicious groups who would want the exploit in the first place, making it economically difficult for companies to justify buying them (not that they would, but even if they wanted to). So it is a case of free market economy or being the nice guy? Anyway, it’s an interesting read.
March 5th, 2007 at 10:25 am
Pay! Pay! CASH! It’s very unfair to get free adivce. Only the rise of the sun is free.
Extortion is an option, and a very logical one too. Microsoft can’t expect good hackers/coders to work for free.
So, go grab a billboard, make a poster and scream it out load on the street! WE WANT CASH!
March 5th, 2007 at 10:40 am
This is just so wrong I don’t know where to begin
This issue is going to be let’s say that MSFT offers a standard $50 for a vulnerability disclosed, some other group will offer $100. Prices will go up, not only for the vulnerability, but also software itself (somehow the company has to make the money back). What if it isn’t MSFT, but some smaller that can’t pay the ransom (which effectively it is)
I can’t think of any other way of describing this other than extortion. If this does start to happen, then it’s all going to go to hell pretty quickly. If you want to get paid to find vulnerability, I’m pretty sure that there are a ton of companies that would like to hire you. However, having the attitude of “who’s going to pay me the most for this” is going to turn off the respectable companies pretty darn quick - what’s to say that you won’t hold back some of the findings from your day job to make some more $$$
If full disclosure (without vendor notification, or giving them enough time to fix the problem) is on the line, then the idea of wanting $$$ for vulns is a big step over it. I wouldn’t be surprised if companies when they find out this has happened start taking legal action against the vuln hunter(s) - at the very least they can sue them for accessing a system without permission, or whatever the electronic version of trespass is.
March 5th, 2007 at 12:44 pm
Stick to vulnerabilities, not economics. The free market governs itself. If there is a demand there will be a supply. The only bad monopoly is one backed by force, aka the type of intervention you seem to be advocating. A company can pay for exploits if they want and anyone can demand it in exchange for the information if they want. It might be a smart business move to pay for exploits.
March 5th, 2007 at 1:51 pm
I’m sure there’s a free market price on vulnerabilities. There is a free market price on everything.
However, many of the important operating systems, web servers, programing languages, and network tools are provided to us gratis, I hardly think we can charge any substantial amount to provide any security vulnerabilities we find in any of them or even in proprietary systems.
Somethings should be free not because they don’t have any value, but because it better serves society to have them free.
March 5th, 2007 at 1:57 pm
They aren’t forced to do business with us. Competition will keep the prices low and it is at the company’s discretion.
Nothing should be free simply because it “better serves society” to have it free. First of all we don’t exist simply to “better serve society.” Society is nothing more than a group of individuals working together anyways. If we each work towards our own ends without using aggression towards each other society will be best “served” and most efficient.
March 5th, 2007 at 2:16 pm
Aw… well, think we all can give something back after all these years of stealing their software, ain’t it?
just joking!
IMO it’s pretty strange they ask help from sla.ckers.org, i’ts ok but, I guess they have money enough to hire a few guys from the board, a lot of talent here.
March 5th, 2007 at 5:08 pm
I think asking for money would really just give you a bad name, you’d be seen as no better than the black-hats waiting to use and abuse the exploits you hold. Unless I could see a really good reason not to tell them about a significant hole in their security, I suppose I would, free of charge. I’m sure some of you will disagree; these are just my views…
(In the majority of cases) I would much prefer to be noted as someone who helped save a company from total doom(!!) as opposed to an extortionist threatening to sell on some exploits. Selling stuff on would come back to bite you in the ass sooner or later, whether they try to get the big bad Law involved or pay some malicious bitches to compromise your own system :p [total backfire].
I suppose it also depends on what the situation, and who you are, perhaps you’re in that all-too-familiar mood of finding security holes for a reason…
March 5th, 2007 at 5:15 pm
I don’t think reporting little vulnerabilities would amount to saving a company from total doom and even if it did you would be lucky to get a response back after they fixed it. :p
Threatening to sell exploits might be going a little too far but offering to sell them is just exchanging goods in both parties’ best interest. (If not they won’t buy them lol.)
March 5th, 2007 at 5:21 pm
@MikeA
‘This issue is going to be let’s say that MSFT offers a standard $50 for a vulnerability disclosed, some other group will offer $100. Prices will go up; not only for the vulnerability, but also software itself (somehow the company has to make the money back).’
Ok, first, $50 for a vulnerability on a MS site is a joke. I would expect at least $500 - $1000 US at a minimum for reporting it… and at that price I consider it very reasonable considering they forecast revenue of $50.7 billion for the fiscal 2007 year (http://www.microsoft.com/msft/earnings/FY07/earn_rel_q2_07.mspx). But let’s forget about my numbers for a moment and use yours. For reporting a vulnerability that allows me to steal Passport accounts all day long I get $50. However, the criminal organisation bugging me for the same spoilt is willing to pay $2000. Why, because for every account they steal, they can simply get their bot to post the email address to here
https://www.paypal.com/cgi-bin/webscr?cmd=_forgot-password.
http://cgi4.ebay.com.au/ws/eBayISAPI.dll?UserIdRecognizerShow
https://www.amazon.com/gp/css/account/forgot-password/email.html/ref=ya_hp_pi_3/103-7466734-4610258
So, considering that, lets say the bad guys can only steal 10000 accounts (very doable) before the bug is found and patched (highly unlikely), if only 1% of the stolen accounts have an associated account on any of theses sites that uses this email address then the ability to leverage either a users good name and or make payments etc using these accounts has meant the bad guys are going to make a very tidy profit. So perhaps rather then worry about poor ole MS and the fact that they now need to raise the price of the apps to cover the cost (because 50 billion isn’t enough), how about you worry about the poor souls using an insecure service and the online merchants out of pocket because they trusted the information supplied to them was from a secure source. (Also how many holes do you think there are? At a guess I would say no more then 100 so the overall impact on the financial statements is a dot at most.)
‘What if it isn’t MSFT, but some smaller that can’t pay the ransom (which effectively it is)’.
Let’s get one thing straight, this isn’t a ransom demand, this is a business proposition. Nobody is being forced to pay and nobody is threatening the companies with extortion. If a company/developer doesn’t have the money to pay, then that is fine… but, what they need to do is publish
a) Contact information for reporting vulnerabilities (ie. Please report all bug and vulnerabilities to ‘bugs@example.com’)
b) Information pertaining to their current payment status (ie. “Sorry, we are 2 guys and we don’t have the money to pay for reported vulnerabilities. However we do appreciate bug reports and will answer any submissions within 48 hours. Furthermore we agree not to pursue and legal options in relation to any submitted bugs”)
I will continue to post spoilt for myspace.com for free for no other reason then I hate them for all the kids they put at risk everyday.
‘at the very least they can sue them for accessing a system without permission, or whatever the electronic version of trespass is.’
This statement is entirely wrong. I doubt very much that any company that lacks the knowledge or skills to protect their own web applications is going to find a user that doesn’t want to be identified. In fact as RSnake has pointed out before, we can use xss as a means to get other people to do out dirty work. Hell, I could write a worm today, post it to “?”, infect a few thousand user accounts and then via a simple command and control interface I could launch subsequent xss testing against any site I choose to.
Finally, to make things clear here, what I am saying is that multi-million dollars companies with large online user bases need to step up there efforts in the way in which they handle reported vulnerabilities. Why, because the scanners aren’t finding the vulnerabilities, their developers aren’t finding the vulnerabilities, the management teams aren’t finding the vulnerabilities, we are. We are the one making their services secure. We are the ones making their brand safer. We are the ones driving the need for security, and for that I feel compensation is deserved.
btw: I commend MS for making the post in the first place and they should be congratulated for taking the innovative.
March 5th, 2007 at 5:22 pm
So its come to this. This is not about a free market at all. In a free market the buyer knows what they are paying for, the open exchange of information about a product is part of what determines market price. People will pay more for Snap On tools over a pig iron socket set with the expectation of quality product and proper service afterwards.
Unfortunately bug bounties are nothing like that. The buyer has no way to evaluate the product beforehand and nothing but the reputation of the bug finder to go on. Not all bugs are of equal severity, yet even a young wannabe might stumble on a remote code execution bug. With no market reputation, who is to determine that his bug is “worth” any more than a run of the mill XSS?
This is just a purple hat vulnerability pimp scheme.
March 5th, 2007 at 7:04 pm
Microsoft should have a standard payout for these exploits.
On a scale, depending on the severity. That would get the hacker community to actually like them while they test to make their products more secure.
It’s a drop in the bucket for them.
March 6th, 2007 at 9:39 am
[…] ha.ckers.org web application security lab - Archive » Ha.ckers.org Is A Phishing Site « Extortion or Payment […]
March 6th, 2007 at 12:06 pm
@digi7al64
>> Ok, first, $50 for a vulnerability on a MS site is a joke. I would expect at least $500 - $1000 US at a minimum for reporting it…
Yeah, that’s what the “let’s say”, as in “for argument’s sake”. My math isnt very good so I like to stick to small numbers because I can still multiply them without having to keep track of all them zeros. I hate zeros (apart from when they are on the balance of my bank, but havent see that in a while!), and I don’t trust that calc program - too many bugs in it for my liking
Ok, so MSFT has the money, and has a lot of users. Perhaps that justifies a higher ransom. Please explain why it’s nothing more than a ransom though. You have something that a vendor wants (details of how to fix a bug), you’re not going to give it to them unless they give you $x, if they don’t pay you might do “something bad” with the vuln, like give it to bad guys. Sounds a awful lot like ransom to me. You say that “nobody is being forced to pay and nobody is threatening the companies with extortion”, but isnt that just what you said a couple of paragraphs above? (However, the criminal organisation bugging me for the same spoilt is willing to pay $2000). What sort of guarentee do you give the company buying the bug off you? Is there a guarentee of an exploit of a certain level? That is hasnt been discovered elsewhere? That you won’t go on and sell it elsewhere?
Smaller companies that dont have any money to give you, you’ll give a “pass” to as long as they publish. I’m not a MSFT fanboy, but I think they do just that. At least they aren’t Google (http://jeremiahgrossman.blogspot.com/2006/10/jeremiah-thanks-rsnake.html). To me, Goog have been one of the worst in fixing the vulns that have been reported to them, and in giving credit. Sorry though, Google gets a pass as well because they aren’t an “evil” company and we all love them so
I have no problem in agreeing that large companies with big installed user bases have to step up their security. I just think that bug ransoms are more of a bad influence on the industry than a good one.
March 6th, 2007 at 1:03 pm
@MikeA
First of all we are selling a product, our product is information. Not giving a company our product if they do not pay is not extortion.
Its like saying the grocery store is extorting money from me because I need food.
And also, the comment digi7al64 made about criminal organisations wanting to buy the same product, well, its just an example of why the price that you suggested is nowhere near enough.
@Chris_B
I’m a pimp,
Furthermore a free market requires no such thing: (from wikipedia):
“A free market is a market where the price of each item or service is arranged by the mutual consent of sellers and buyers (see supply and demand); the opposite is a controlled market, where supply and price are set by a government. However, while a free market necessitates that government does not dictate prices, it also requires the traders themselves do not coerce or defraud each other, so that all trades are morally voluntary.”
So the only thing you could call this out on is the morally voluntary part, but I’m convinced it is morally voluntary…..
March 6th, 2007 at 4:17 pm
@kuza55
>> First of all we are selling a product, our product is information.
No you are not. With a product you know what you are getting before you pay the money out. With this $$$ for vulns strategy, you are effectively saying that “I have this bit of info - I’m not going to tell you what it it, but it’s extremely important to you, especially if it gets in the wrong hands - but I’m not going to tell you what it it; not even a small part of it” (because otherwise the vendor would go out and find it themselves).
>> Its like saying the grocery store is extorting money from me because I need food.
Absolutely not. If I need food and I go to the grocery store, I get to look at what I would like to eat, and (in certain cases) inspect the merchandise. If I don’t like what I see, I can go somewhere else. You effectively have the single source of information, are demanding money for it, and (either explicitly or not) saying that there are other people out there that *will* pay if the vendor wont. I don’t see any other way of describing this other than extortion. Free markets exist only when there are different things/places/versions to buy (otherwise it’s not a “free” market). As you quote above, it’s not a free market if there’s no-one dictating prices (gov’t or otherwise), but as the general flow of this argument goes, if the vendor won’t pay a certain amount, you’ll go elsewhere, which is exactly what the vendor doesn’t want happening, so you are effectively dictating the price (buy from me, *at this price* or I’ll send it here). Once that happens, there’s no voluntary any more - the vendor pretty much has to pay, or take the risk that they can also find the vuln, fix it, etc, before it’s abused, and how will they know if it’s a risk worth taking unless they know what the vuln is.
Catch-22 I know, but this is why I really really don’t think it’s something we should do. However, for you black-hat guys, that’s your call.
>> well, its just an example of why the price that you suggested is nowhere near enough.
I never though that $50 would be enough (although have you seen the amount of stuff you can buy in the MSFT employee shop for that! If it was in online vouchers for that it might be worth it
), but I was just using it as an example. My math is so bad, I can’t count much higher than that, so it’s just simple for me to use smaller numbers ;p
March 6th, 2007 at 6:58 pm
There will be no payout if you don’t actually have a vulnerability and if you do the payout will depend on the scale. I’m sure an agreement could be drafted up for this if it was a problem. This is a contractual, mutually beneficial exchange of labor. I own my labor and its products, ie. info on a possible exploit, and they own their labor and money with which they can choose to buy my information. If they do not buy it they know it is out on the market still. I am not morally obligated to help anyone, only not to use coercion against them. If someone is going to destroy their website and I know the fix I wouldn’t be unjust to withhold the information. There is no duty to society here. I really don’t care about their website as they should and have no obligation to give research information to them or to abstain from trading it with others who are not being stingy.
March 11th, 2007 at 12:39 pm
Correct me if I’m wrong, but don’t real hackers believe in free information for all? Isn’t that a lot of their justification for hacking in the first place? I say responsible disclosure methods all the time, for free, even to MS.