Business Models for Discovering Security Vulnerabilities

One company sells them to the vendors:

The founder of a small Moscow security company, Gleg, Legerov scrutinizes computer code in commonly used software for programming bugs, which attackers can use to break into computer systems, and sends his findings to a few dozen corporate customers around the world. Each customer pays more than $10,000 for information it can use to plug the hidden holes in its computers and stay ahead of criminal hackers.

iDefensebuys them:

This month, iDefense, a Virginia- based subsidiary of the technology company VeriSign, began offering an $8,000 bounty to the first six researchers to find holes in Vista or the newest version of Internet Explorer, and up to $4,000 more for code that take can advantage of the weaknesses. Like Gleg, iDefense, will sell information about those vulnerabilities to companies and government agencies for an undisclosed amount, though iDefense makes it a practice to alert vendors like Microsoft first.

So do criminals:

But the iDefense rewards are low compared to bounties offered on the black market. In December, the Japanese antivirus company TrendMicro found a Vista vulnerability being offered by an anonymous hacker on a Romanian Web forum for $50,000."

There's a lot of FUD in this article, but also some good stuff.

Posted on February 5, 2007 at 12:44 PM • 40 Comments

Comments

Nobby NutsFebruary 5, 2007 12:55 PM

Heh. Started off interestingly but the ending's a bit of a cliffhanger! One company ... what??

Israel TorresFebruary 5, 2007 1:19 PM

Here is the underlying (and unrendered) html for this topic:

"One company sells them to the vendors:

The founder of a small Moscow security company, Gleg, Legerov scrutinizes computer code in commonly used software for programming bugs, which attackers can use to break into computer systems, and sends his findings to a few dozen corporate customers around the world. Each customer pays more than $10,000 for information it can use to plug the hidden holes in its computers and stay ahead of criminal hackers.

iDefensebuys them:

This month, iDefense, a Virginia- based subsidiary of the technology company VeriSign, began offering an $8,000 bounty to the first six researchers to find holes in Vista or the newest version of Internet Explorer, and up to $4,000 more for code that take can advantage of the weaknesses. Like Gleg, iDefense, will sell information about those vulnerabilities to companies and government agencies for an undisclosed amount, though iDefense makes it a practice to alert vendors like Microsoft first.

So do criminals:

But the iDefense rewards are low compared to bounties offered on the black market. In December, the Japanese antivirus company TrendMicro found a Vista vulnerability being offered by an anonymous hacker on a Romanian Web forum for $50,000."

There's a lot of FUD in this article, but also some good stuff."

^^^^^
Just because you can't see it doesn't mean it isn't there.

Hope it helps ;)
Israel Torres

Michael TFebruary 5, 2007 1:19 PM

View source - the problem is a link enclosing an URL not in double quotes, but in a single quote and a double quote.

The actual story:

One company a href='http://www.iht.com/articles/2007/01/29/business/bugs.php" sells them /a to the vendors:

blockquote The founder of a small Moscow security company, Gleg, Legerov scrutinizes computer code in commonly used software for programming bugs, which attackers can use to break into computer systems, and sends his findings to a few dozen corporate customers around the world. Each customer pays more than $10,000 for information it can use to plug the hidden holes in its computers and stay ahead of criminal hackers. /blockquote

iDefensebuys them:

blockquote This month, iDefense, a Virginia- based subsidiary of the technology company VeriSign, began offering an $8,000 bounty to the first six researchers to find holes in Vista or the newest version of Internet Explorer, and up to $4,000 more for code that take can advantage of the weaknesses. Like Gleg, iDefense, will sell information about those vulnerabilities to companies and government agencies for an undisclosed amount, though iDefense makes it a practice to alert vendors like Microsoft first. /blockquote

So do criminals:

blockquote But the iDefense rewards are low compared to bounties offered on the black market. In December, the Japanese antivirus company TrendMicro found a Vista vulnerability being offered by an anonymous hacker on a Romanian Web forum for $50,000." /blockquote

There's a lot of FUD in this article, but also some good stuff.

Fred PFebruary 5, 2007 1:26 PM

I gather that this is part of Bruce's new security strategy - security through mis-matched quotes :-)

Erik NFebruary 5, 2007 1:46 PM

Bruce: It appears that the link href you start with a single quote and end with double quote. They should both be double quotes.

cmillsFebruary 5, 2007 1:47 PM

Bruce is a mastermind! Look at how much conversation he has provoked with only two words!

derfFebruary 5, 2007 2:50 PM

So if I pay my local dateless 14 year olds $1000 per exploit I could conceivably have a decent "cyber security business".

Michael RichardsonFebruary 5, 2007 3:23 PM

> So if I pay my local dateless 14 year olds
> $1000 per exploit I could conceivably have a
> decent "cyber security business".

No, that's way too high. If you pay them that much, they won't remain "dateless"

goozbachFebruary 5, 2007 3:39 PM

What I think is funny is that immediatly some went to "view source" to see if the missing quote may have happened. (myself included)

That has to say something about the type of audience you've have reading your blog, Mr Schneier.

ParanoidFebruary 5, 2007 5:12 PM

Am I alone in being a little sceptical about this? Just how do you negotiate the payment for a software bug?

It sounds as if the trade in software vulnerabilities is ripe for the conmen. If I sell you a "vulnerability" and it turns out to be nothing of the sort what do you do next? Of course if I set a condition for buying a vulnerability that I won't pay you until I have verified the bug then why pay at all?

All classic cons depend upon getting the mark to do something illegal or embarrassing so that they can't complain to the police; selling bogus software bugs sounds like easy money to me.

Another angle on this: what is to stop the FBI/NSA from setting up stings by offering to sell plausible looking bugs?

mud and flameFebruary 5, 2007 5:38 PM

Superman can compress coal into a diamond. Bruce Schneier can compress three paragraphs into two words.

quincunxFebruary 5, 2007 6:01 PM

@ Bruce

"But the iDefense rewards are low compared to bounties offered on the black market."

How could that be? Since competition, speculation and arbitrage tends to equalize the price across the globe (discounted by intermediary transaction costs), this state of affairs proves conclusively that the white hats are OVER-REGULATED and/or OVER-TAXED compared to their black market counterparts.

The solution is obvious.

Steve ParkerFebruary 5, 2007 7:23 PM

Given the cost to MS in publicity over Windows Vista (although certainly here in the UK, it doesn't seem to be getting a lot of media attention at all), the figures cited seem very low.

Surely MS should be able to sustain such an economy internally, (without creating a culture of "I'll introduce the vuln, you fix it, we share the takings")? If they're this easy to find without the source, it's a sad statement about a "brand-new" OS.

AnonymousFebruary 5, 2007 8:31 PM

@Paranoid
"selling bogus software bugs sounds like easy money to me."

If you were selling an exploit to possible criminals, do you REALLY want to try conning them with a fake exploit? If that's your idea of easy money, go for it. Just remember you read it here first: Payback's a bitch.

RalphFebruary 5, 2007 9:18 PM

@quincunx

This is free market theory.

In practice no market is free and it rarely works the way the theory states.

Bugs are being found; this is certainity. How they are handled from there helps shape our industry by perception and in reality.

This should concern everyone working in IT security.

ParanoidFebruary 6, 2007 2:38 AM

"If you were selling an exploit to possible criminals, do you REALLY want to try conning them with a fake exploit? If that's your idea of easy money, go for it. Just remember you read it here first: Payback's a bitch."

Yes, a fair point but I am still amazed that any kind of trade can be sustained in software bugs or are the people who deal in this stuff all Godfather type gangsters?

quincunxFebruary 6, 2007 4:50 AM

@ Ralph

"In practice no market is free and it rarely works the way the theory states."

It doesn't matter that no market is currently free - in fact that only bolsters my point. All that really matters is the relative freedom between the markets. The large price spread between the legal and black market ipso facto proves that the freedom difference is quite great. Even greater when adjusted for purchasing power.

"Bugs are being found; this is certainity. How they are handled from there helps shape our industry by perception and in reality."

Well as long as individuals subjective judgments of doing the 'right' thing outweighs his desire to earn a substantial multiple by doing the 'wrong' thing - the shape of 'our' industry will remain in tact.

But then again...it may be slippin', and it will continue to get worse, especially if Bruce's 'clever' legislative ideas ever get through.

"This should concern everyone working in IT security."

Concern doesn't solve problems, unfortunately.

bobFebruary 6, 2007 1:40 PM

@quincunx
"The large price spread between the legal and black market ipso facto proves that the freedom difference is quite great."

Hogwash. It proves no such thing.

All it "proves" is that some buyers are willing to pay more for something rare with a limited lifespan, like say a Chateau Lafitte Rothschild 1957. Neither Vista bugs nor Chateau Lafitte's are fungible commodities.

Microsoft (or anyone else in the defender's role) may decide that $50K or $10K or even $1K is too much because they have other means. The defender can simply wait for the attack to surface in the wild (cost: $0), then respond to it at that time. If it takes a week for 5 developers to find and fix the bug, that's still probably not $50K out of the department budget. ($10K/week would be $520K/year, a VERY lucrative development post indeed).

The defender is also in the position of having an exploit be an externality. It affects the defender's customers, and the defender's reputation, but it doesn't affect the defender's revenue stream all that much. Besides, any really serious showstopping flaw is likely to have even MORE resources into fixing it than the normal bug-response. That is, more than 5 developers and a week's worth of time. So even really big holes can still be patched without affecting revenue.

Anyone in the attacker's role is in a different boat.

For the attacker to receive an ROI, the bug has to be remotely exploitable (not all of them are). It also has to be sufficiently non-obvious that someone else won't find it and sell it to the defender before your attack is ready to deploy. There's both a time factor in that (an unfound bug might be fixed), and a complexity factor (automated bug-finding techniques like "fuzzing" can't stumble over it).

There's also the reputation of the target itself: Vista is supposed to be much harder to exploit. Only time will tell if that's really true or not, but the attacker still has to assume that easily exploitable holes don't exist. That raises the bar for skill of entrants who want to find bugs in the first place.

The attacker may also be paying a premium over and above the free-market price (all else being equal, which it isn't). That premium is the cost of overcoming the seller's moral misgivings, i.e. the cost of turning a non-criminal into a criminal (or at least an accessory to a criminal), which has its attendant costs and risks. If I were selling to a criminal buyer, I'd want compensation for my risk of being caught and jailed.

I think the general idea is right: it's the economics. I just think you've completely missed the breadth and depth of the economic analysis here, only a modest portion of which I've outlined above.

RalphFebruary 6, 2007 4:59 PM

@quincunx

"This should concern everyone working in IT security."

Concern doesn't solve problems, unfortunately.

I was not so much suggesting a solution as drawing attention to the importance of this as a development. If we can discern the changes in our environment correctly then we can make good choices to how we plan and conduct our business. We may also be able to see what the likely reaction of vendors such as Microsoft to these changes.

quincunxFebruary 7, 2007 1:34 AM

@ bob

"All it "proves" is that some buyers are willing to pay more for something rare with a limited lifespan, like say a Chateau Lafitte Rothschild 1957."

No. It clearly states that the good is the SAME: Vista vulnerabilities.

Both the defender and offender wish to acquire the SAME thing - afterwhich, you are correct their actions will be different.

To say differently is to suggest that buying Steel for making tanks and making bunkers would somehow lead to a unit price difference because one is for attack and the other is for defense.

The various conducts of business is irrelevant to the offer price. Because it is the one that found the vulnerability that must decide who to sumbit it to - and he frankly does not care who makes or saves money or even how they go about their business.

"The attacker may also be paying a premium over and above the free-market price."

That's correct. However the seller of the vulnerability is not really the criminal. It is the one who unleashes it. Or at the least - no one cares until its unleashed.

ParanoidFebruary 7, 2007 9:13 AM

@quincunx
"Both the defender and offender wish to acquire the SAME thing - afterwhich, you are correct their actions will be different.

To say differently is to suggest that buying Steel for making tanks and making bunkers would somehow lead to a unit price difference because one is for attack and the other is for defense."

I don't understand why you are using an analogy about steel to make a point about computer software bugs because steel and software are not comparable.

Software bugs are just ideas that can be replicated at no cost. Also, typically when a software bug is found, the discoverer may have a unique asset (for a short time).

Steel cannot be copied like software concepts and is sold by many sellers.

"... it is the one that found the vulnerability that must decide who to submit it to ..."

If I sell you a Vista bug that can be used for criminal profit, there is no guarantee that the bug will not be sold again to another party (criminal or security researcher). The factors limiting the number times I can sell the bug is the number of buyers I can find, my fear of retaliation by criminals, possible legal problems and the age of the bug because the longer it is known, the more likely it will be patched.

If I want to know if a steel vendor is offering me a reasonable price, I can compare prices across the market - this is absolutely impossible with software exploits, which each may have their own unique characteristics.

It's also worth mentioning that the attacker can choose to use his software bug indiscriminately, without concern for reputation whereas Microsoft have to go through a strict quality control process for their patch because they will catch hell if they release a faulty update.

It seems to me that steel and software have such different characteristics that the value of your analogy is highly questionable.

bobFebruary 7, 2007 3:09 PM

@quincunx
>Both the defender and offender wish to acquire the SAME thing - after
>which, you are correct their actions will be different.
>
>To say differently is to suggest that buying Steel for making tanks and
>making bunkers would somehow lead to a unit price difference because one is
>for attack and the other is for defense.

No, that's not what I'm saying or suggesting.

You seem to be saying that the item for sale, a Vista bug, is a fungible commodity, like steel, and then doing an economic analysis based on that premise.

I'm saying that a Vista bug isn't a commodity at all, and analyzing its economics like a commodity is completely wrong.

A Vista bug is more like a limited edition rare book or print, of which there are fewer instances than potential buyers. And unlike a book, which continues to exist after purchase, a Vista bug has a limited lifetime of usefulness because it can be patched without you doing a single thing. In other words, owning information isn't the same as owning an artifact.

Someone else might discover the bug and report it for fixing rather than selling to the highest bidder. Or the developer could find it and fix it. In any case, after an exploit is deployed, the developer will definitely find and fix it.

To analogize these to the rare book or print example, finding the bug and reporting it is like someone else finding a crate of identical copies of the book that was thought to have only one copy left. What happens to the price of your one book? It goes down. And if Microsoft finds and fixes the bug itself, that's like a print maker saying they'll reprint the previous limited-run of 100, because they really saved the lithographic stone. Again, the price goes down.

So the value of that original book to someone who's secretly sitting on a crate of them is less. Likewise, the value of a print from the original 100 to someone who has the lithographic stones is less. From an economic viewpoint, the value differs depending on who is buying and what information or artifacts they have, not on regulation of the marketplace.

The reason for this disparity is that an attacker can only FIND bugs in Vista, it can't ADD bugs. The defender, however, can find bugs and fix them (and also add them). So there's a different relationship to the information of where and what a particular bug is. That difference in the relationship to information leads to the price disparity. Over-regulation or under-regulation has nothing at all to do with it.

That said, if Microsoft or any other defender decides to bid for bugs on the open market (i.e. includes the black market), that's their choice. If they decide not to, that's also their choice. But since they hold different cards than the attackers, their view of what a bug is worth differs from the attackers.


>However the seller of the vulnerability is not really the criminal. It is
>the one who unleashes it. Or at the least - no one cares until its
>unleashed.

Agreed.

Except that sometimes one can be prosecuted for contributing to or facilitating criminal acts. In that case, knowingly selling to someone who intends to exploit the bug for criminal purposes could be considered a crime.

bobFebruary 7, 2007 3:54 PM

@quincunx

If you're going to postulate that a price differential is due to over-regulation, at least point out which regulatory body is the cause.

I see no such regulatory body, because Microsoft or any other defender is perfectly capable of contacting the bug-sellers and offering to buy the bug at the offering price. Doing so is not even illegal, AFAICT, so saying that governments are the regulatory body simply doesn't hold up to basic scrutiny.

RichardFebruary 8, 2007 2:37 PM

One difference between the purchase of a bug by a criminal and the purchase by a defender is that the defender has the use of the conventional legal and economic system to arrange and guarantee payments. I should think the extra risk of a "transaction failure" in the criminal purchase would be represented by higher prices.

quincunxFebruary 13, 2007 10:01 PM

@ bob

"Software bugs are just ideas that can be replicated at no cost. Also, typically when a software bug is found, the discoverer may have a unique asset (for a short time)."

I do not consider money as the only cost. I consider time and effort spent doing it as cost. If the discoverer has a unique asset, as you say, then he has a choice to whom he wants to sell it to.
So you have just proved that the steel maker like the bug finder has the option of selling it to multiple parties - and he will typically offer it to the highest bidder.

This analysis holds true for EVERY good and service - whether or not money is involved, which most of the time it is.

"Steel cannot be copied like software concepts and is sold by many sellers."

You are correct (which is why I reject IP), but there is still a labor scarcity. Someone has to think it is worthwhile to pursue, and then who to sell it to.

"I'm saying that a Vista bug isn't a commodity at all, and analyzing its economics like a commodity is completely wrong."

Economics for commodities works the same way for services, like bug finding. There is no extra special economic analysis between goods and services.

"A Vista bug is more like a limited edition rare book or print, of which there are fewer instances than potential buyers. And unlike a book, which continues to exist after purchase, a Vista bug has a limited lifetime of usefulness because it can be patched without you doing a single thing. In other words, owning information isn't the same as owning an artifact."

Well what about bananas? They spoil too but the economic analysis works exactly the same, although the entrepreneurial procedures have changed.

"Someone else might discover the bug and report it for fixing rather than selling to the highest bidder. Or the developer could find it and fix it. In any case, after an exploit is deployed, the developer will definitely find and fix it."

Well if others did in sufficient quantity, than the demand is satisfied - and thus no price is necessary to make up the shortfall of bugs being found.

But since the price does exists we can not conclude that it is happening in sufficient quantity. Who pays for services they can do without?

"To analogize these to the rare book or print example, finding the bug and reporting it is like someone else finding a crate of identical copies of the book that was thought to have only one copy left. What happens to the price of your one book? It goes down. And if Microsoft finds and fixes the bug itself, that's like a print maker saying they'll reprint the previous limited-run of 100, because they really saved the lithographic stone. Again, the price goes down."

Right. The price goes down across the board for all holders of that book, SO is why is there still such a large price difference? I agree that price differences can result from market segmentation (gov trade interference), but the internet is not really subject as much to such interferences.

"From an economic viewpoint, the value differs depending on who is buying and what information or artifacts they have, not on regulation of the marketplace."

No, that is just silly. You do not get a software discount at say BestBuy if you tell them you like to hack around and you have a lot of programs installed. What you've got is irrelevant to a sale. The only thing that matters is what you are offering and whether the other party agrees.

"The defender, however, can find bugs and fix them (and also add them)."

What I'm saying is that there is a third option available: arbitration. If you work for a defender and receive information, you can just resell it to a higher bidder. That's why it's a problem.

"So there's a different relationship to the information of where and what a particular bug is. That difference in the relationship to information leads to the price disparity"

This holds true - information is key. But again that just leaves open a big information gap that can be profitably patched up through arbitration.

"That said, if Microsoft or any other defender decides to bid for bugs on the open market (i.e. includes the black market), that's their choice If they decide not to, that's also their choice. But since they hold different cards than the attackers, their view of what a bug is worth differs from the attackers."

Sure. They can do what they want to, but they will not clear the market.

"If you're going to postulate that a price differential is due to over-regulation, at least point out which regulatory body is the cause."

IRS. Less money for government = higher offering price to bug hunters.

Also, less legal assault (both in the US and Europe) would probably help too.

"I see no such regulatory body, because Microsoft or any other defender is perfectly capable of contacting the bug-sellers and offering to buy the bug at the offering price."

True, but an offer is not a sale.

@ Richard

" I should think the extra risk of a "transaction failure" in the criminal purchase would be represented by higher prices."

I would think that as well, and it makes perfect sense. However the price difference between areas with drug legalization and suppression is nowhere as great - and yet transporting physical goods is much harder.

I think there are easy and effective ways to launder the money across borders, mitigating the risk of getting caught. It's usually accomplished by channeling it through a network of shell companies. I recall reading that setting up such a network for operations can run as low as 50K, and can even then be outsourced to multiple clients. But I don't really know much else about it.

X the UnknownFebruary 14, 2007 1:14 AM

@quincunx: "Right. The price goes down across the board for all holders of that book, SO is why is there still such a large price difference? I agree that price differences can result from market segmentation (gov trade interference), but the internet is not really subject as much to such interferences."

Well, not really. The price goes down only if the holder of 100 books announces his/her hoard (and intent to sell them). If my interest in a particular bug is to use it as an exploitations tool in a larger, clandestine operation, I may have no interest whatsoever in selling it - much less in announcing it.

Perhaps I expect to make more money through my operation than the "going price" for a bug. Alternatively, perhaps I am not financially motivated - say I am a mythical cyber-terrorist intent on wreaking havoc within some defense industry systems.

In either case, I may be willing to sell, but only to a very restricted set of trusted clientel. Instant market segmentation without any government interferrence...

ParanoidFebruary 14, 2007 7:45 PM

@quincunx

First things first. I am not 'bob' I am 'Paranoid'.
You appear to have mixed up my comments with bob's or was that intentional? If so, we seem to disagree.

My point was that steel and software bugs have different characteristics hence your analogy about steel prices for attackers and defenders was not a good one. Please reread my comment.

I will try to illustrate my point again by example:

Let's say I have a block of steel and a software bug I want to sell. I proceed to sell the steel at market rate and sell the bug as well.

Next day I want to sell more stuff.

Can I sell the same steel again? No (at least not legally) because I only had one piece and it is gone. I may be able to produce more but the steel I sold has definitely gone somewhere else; there are no backup copies of steel.

Can I sell the bug again? Of course I can (I kept a copy and strictly speaking the only way to destroy my copy is to blow my brains out if I understand the bug anyway). The number of buyers and prices I can negotiate may change because once the bug becomes common knowledge its price drops to near zero. I noted various factors that would limit how many times I could resell the bug in my original post.

"I do not consider money as the only cost. I consider time and effort spent doing it as cost."

Fair comment but one of the most extraordinary aspects of IT storage is that (replication) storage costs are rapidly dropping off to near zero.

Software and steel are different industries entirely. You could swap out 'software bug' for 'my new killer software application' and the basic argument is still true - once I have written the software, I can license it as many times as I like (though there may be support and other issues to be considered as well).

Steel is a standardised physical commodity. Software (especially bugs) isn't.

bobFebruary 15, 2007 7:05 PM

@quincunx

I will skip points that I think have been adequately addressed by Paranoid.


>You are correct (which is why I reject IP),

IP is irrelevant to this question. Information possession *IS* relevant, crucial even, but I don't think that's what you mean by "IP".


> but there is still a labor scarcity.

Yes, there is a scarcity of labor skilled enough to find bugs in Vista. Duh. That's why the price for a Vista bug is higher than for, say, W95.

There is also expected to be a large population of Vista users to exploit, hence the price for a Vista bug is higher than for, say, a Mac OS X bug.


>Someone has to think it is worthwhile to pursue, and then who to sell it to.

Duh. There are always opportunities for finding bugs in software. There isn't always the skill, nor is there necessarily a bug in the code being prospected. It's like any prospecting venture: skill, luck, and location are all involved.

Of course someone is going to think it's worthwhile, while someone else will not. What does that have to do with the price? A higher price attracts more prospectors, but that's obvious. Equally obvious is that a higher price is more likely to seduce a white-hat into becoming a black-hat.

Neither of those has anything to do with the price DISPARITY between attackers and defenders, though.


>Well what about bananas? They spoil too but the economic analysis works exactly the same, although the entrepreneurial procedures have changed.

Bananas and steel share one important attribute: they are physical. Information is not physical.

The only way there can be "spoilage" of bug information is if someone else finds the same bug and submits it for fixing. If no one else is looking for bugs, then the information can't "spoil" or degrade. That's because the software that has the bug doesn't change or alter over time. It doesn't spoil because it's information, too. So until someone else finds and fixes the bug, it will remain there.


>But since the price does exists we can not conclude that it is happening in sufficient quantity.

This sentence makes no sense. That WHAT is happening in sufficient quantity. I think some words are missing.


>You do not get a software discount at say BestBuy if you tell them you like to hack around and you have a lot of programs installed.

I may not get a discount at BestBuy, but I *DO* get a hardware discount from Apple if I'm a developer enrolled in their program. Why would Apple do this? Because I write software that runs on Macs, and that helps sell Macs, so Apple is interested in helping me write software.

And maybe I *WOULD* get a discount at BestBuy if I wrote some database sales software for them. Or I might not get a hardware discount at BestBuy, but I certainly know some system builders who are more than happy to give discounts if I write or modify some software for them. I don't consider this strange; it's just barter.

None of this has anything to do with the price disparity, though.


>What you've got is irrelevant to a sale. The only thing that matters is what you are offering and whether the other party agrees.

Dead wrong, and almost certainly a fundamental flaw in your reasoning. It matters VERY MUCH what I've already got. "Who pays for services they can do without?"

Indeed, who pays for ANYTHING they can do without?

Microsoft has the source for Vista, so their view of what they can do without, or how much to pay if they do want it, is quite different from someone who doesn't have Vista's source.

Remember that attackers cannot ADD bugs to Vista. They can only find and use the EXISTING bugs. It's like prospecting for gold or any other rare physical commodity. All you have is your prospecting skills and some luck. You don't decide where the gold is. Its location is determined by forces beyond your control, just as the location of Vista bugs is for attackers.

But the location of bugs and fixes is NOT beyond Microsoft's control, so their view of what to pay differs from that of attackers. Essentially, Microsoft believes they would be paying for something they can do without.


>What I'm saying is that there is a third option available: arbitration.

Huh? What does arbitration have to do with anything, if I'm trying to sell my information to maximize my profit?


>If you work for a defender and receive information, you can just resell it to a higher bidder.

They could indeed. One might question their ethics, but nothing is stopping them from reselling it. They could also amortize their costs by selling a service to other customers who want to find out about bugs and fixes. Which is what Gleg and iDefense do.

Still not relevant to the price disparity, though.


>That's why it's a problem.

That's why WHAT is a problem? The ethics of the defender? The ethics of the seller? The ability to resell information while still retaining the original information?


>Sure. They can do what they want to, but they will not clear the market.

They don't HAVE to clear the market. Microsoft has Vista's source: they can ELIMINATE the market for a reported bug, so in a very real and concrete sense, they CONTROL the market for Vista bugs. If you want a regulatory body for Vista bugs, at least consider what Microsoft can do.

They can apply the information from a reported bug to eliminate it, and destroy the market for that bug by making it disappear. Eliminate the bug in the product and you eliminate the entire market for exploits of that bug. You can't exploit a bug that's no longer present. Nothing could be more obvious.

In reality, not even Microsoft can TOTALLY eliminate the market for a given bug. There are always stragglers who don't upgrade. But Microsoft can most definitely crash the general market price for a bug: they issue a patch.


>IRS. Less money for government = higher offering price to bug hunters.

You're making this up. In what way does the IRS regulate the price for bugs? Less money for govt in what way? Taxes on reported income?

I've reported many bugs over the years, some of which had monetary bounties. Some years I'd make over $1000 in bug bounties. Because I'm a mindless fool, I reported it as ordinary income and was taxed for it. If I'd sold it on the black market, I would have demanded a cash payment and NOT reported the income. There'd be no way the IRS could have caught me, so there's no way the IRS could be said to be regulating the black market price for bugs. Anyone who reports illegal income to the IRS deserves what they get for being such an idiot.

A much more plausible explanation for the price disparity is that attackers are willing to pay more because they understand they are at a disadvantage relative to MS. That, and they also believe that Vista has fewer exploitable bugs in the first place. Therefore there is scarcity pricing (both in number of bugs and skill level needed to find them), and there is the price differential for attacker/defender information disparity.

There's no need to conjure a regulatory boogieman out of thin air, when it can all be explained quite well with perfectly ordinary business economics.


>Also, less legal assault (both in the US and Europe) would probably help too.

Duh. That's the difference in price for risking criminal prosecution. Already mentioned in prior posts, but still not relevant to the price that Microsoft would be willing to pay.

Other defenders may well be willing to pay the offering price on the black market. They may even consider it a bargain. Presumably they can amortize the costs among their direct customers, and also report the bug to Microsoft. But if the defenders are operating legally, reporting their income and their costs, then in what way does the IRS "regulate" the price of bugs they decide to purchase?

I'm not seeing the IRS influence even for law-abiding players, because it's just a deductable business expense for them, and they only pay taxes on the difference between income and expenses. Since players like iDefender charge their customers a lot, you'd expect any single bug to easily be amortized, and so iDefender would be willing to pay MORE for a single bug.


>True, but an offer is not a sale.

Now you're just being silly. OK, so let's say Microsoft BOUGHT the bug at the open market selling price. What regulatory agency is involved in that transaction? Certainly not the IRS, because MS isn't evading taxes. The seller may be evading taxes, but that's not MS's concern.

bobFebruary 15, 2007 9:48 PM

@X the Unknown
>If my interest in a particular bug is to use it as an exploitations tool in a larger, clandestine operation, I may have no interest whatsoever in selling it - much less in announcing it.

You would not want to sell or announce the bug before deploying your exploit, but as soon as it's deployed, the exploit itself unavoidably shows what the bug is and where it's located. It takes a little time to track it down, but this is far less time than it took to discover the bug in the first place, or to write a suitable exploit for it. Trackdown can happen in a matter of a few hours, or even less.

Defenders know this and count on reaction time in their ability to defend. Defenders with source, i.e. Microsoft, are in an even better position because they don't have to reverse-engineer the defective code to figure out the bug: they just read the source. This is one reason defenders aren't willing to pay black-market prices for bugs: they believe they can counter an attack by rapidly discovering the bug, since the exploit has to reveal its secret (the bug) when the attack occurs. Something about not paying for something you believe you can do without.

Armed with the exploit itself and information about the bug, defenders can rapidly deploy a work-around or fix, putting a halt to the exploit. A mitigation that slows an exploit may come even sooner than an actual fix, and that also gains time to find a fix. That defines a more or less narrow window of opportunity in which the exploit has to recover investment costs and generate profits, all while lots of defenders are working to make that window as small as possible.

This is all well-known in computer security circles, and shouldn't be a revelation to anyone with a modicum of experience in software development. However, it appears to be incomprehensible to quincunx, who still seems to be thinking of bugs as fungible commodities obtainable in arbitrary quantities, like bananas or steel.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..