Dealing in Vulnerabilities - Denying the Vendor
Full disclosure, responsible disclosure, malicious exploit use, there are so many ways to act when you find a vulnerability.
What about disclosure to a select band of people (selected only by their ability to pay you a bucket of money every year), and demonstrating the vulnerability publicly, while simultaneously withholding details of the vulnerability from the vendor in whose product you found the hole?
That's what Russian Security research company Gleg is doing right now with RealNetworks, according to an Analysis piece in this week's eWeek (sorry, eWeek, I'd link to the article, but I couldn't find it online).
The researchers at Gleg found a vulnerability that allows them to execute their choice of code on any system whose user they can convince to play a song in RealPlayer - and there's not a lot of convincing that needs to go on.
RealNetworks have contacted Gleg and requested, on a number of occasions, to receive details of the vulnerability. Gleg refuses. Repeatedly.
Why?
"We need an exclusive time period to protect our customers..." and "We tried to work with vendors in the past and received a very negative experience."
If this "negative experience" is the usual complaint of vulnerability researchers, it is that vendors are non-responsive when vulnerabilities are reported - clearly in this case, that's not true. RealNetworks are asking Gleg to allow them to respond to the vulnerability.
Subscriptions to vulnerability researchers' "services" already seem rather like a protection racket - "pay us every month, so we can tell you how to prevent your systems from being exploited by something that we found".
With this refusal to disclose to the vendor without them becoming a customer first, this seems more like blackmail.
As Dave Aitel of Immunity states, for RealNetworks to subscribe to Gleg's service might very well be "a drop in the bucket for them", but consider that it's Gleg that discovered this vuln, it might be Immunity for the next vuln, you can't predict who's going to find the next vulnerability in your software. A few drops and you've overflowed your bucket. [For those of us vendors with a thimble-sized bucket, a single such drop is going to be too much.] How do you go to the CFO and ask for more money because there's another dozen security research companies starting up this month? How do you classify the return on investment?
Oh yeah, Immunity... "Immunity does not share its findings with affected vendors" either, according to the article.
I understand that security researchers have to feed their families, but there has to be a better way than protection rackets and blackmail.
I've often stated that I got into security because I wanted in some small way to help save the world - I don't like people who are apparently in this business solely to make money, and with no interest for improving the world around them. It's a short step from there to developing malware for pay.
Update: Just to prove I'm not making this one up (eWeek, where's that article online?), the story is also reported at DaniWeb.