One of the great things about Shmoocon is that I get to hang out with my fellow Shmoo, who have extremely diverse backgrounds and interests (errr, given that we’re all obsessed with security, that is). So, last night, at the Shmoo decompression, several of us were discussing responsible disclosure, and in particular the business model of companies that buy exploits, such as Tipping Point.
I’ve always been somewhat uncomfortable about organisations like CERT or NISCC, which don’t actually pay for exploits, but nevertheless are in the business of encouraging people to give exploits to them first. Once they have the exploits they first give them to “critical” stakeholders, and, later, the rest of the world gets to hear about them.
Tipping Point and friends simply take this model and commercialise it: pay the exploit writer for the exploit, then sell it to your subscribers. For a lot of money. But don’t make the mistake of thinking CERT or NISCC are not in it for the money – they are, of course, but in their case its called “budget” instead of “profit”.
So, what’s wrong with this picture? Well, my original objection to CERT and NISCC was that they obviously have to choose who gets the early announcements, and there’s no fair way to do that. Even worse, if you’re going to claim to protect criticial infrastructure, then you have to include the vendors who supply that infrastructure. Of course, these vendors then get to exploit that information commercially – it gives them an edge on their competitors. And since you don’t get to supply criticial infrastructure unless you are huge, this creates an artificial bias towards huge companies.
Is commercialisation any better? Well, at least its a little more honest: anyone with enough money can play, not merely those who are best at shmoozing. But it still biases towards the well-heeled.
However, that’s not the worst of it, and this is what became clear to me last night. What’s worse is that many of those subscribed to these early announcement services have an interest in using these exploits. In the case of the CERT/NISCC model it will be the military and TLAs that will be in the market for useful exploits. Of course, they will still have access in the commercial cases, perhaps even at reduced rates (never hurts to keep the government happy, right?) – but worse still, commercialisation of the exploit market gives easy access to criminals (I’m sure that some do even in the CERT/NISCC model, but it must be harder to get that than by simply forking out money).
Of course, this is not a good place to be. Is there anything to be done? I think so, but more on that later.
I don’t mean to single out Tipping Point particularly, they just happen to be the first I thought of. If people send me links to others I’ll compile a comprehensive list.