Links

Ben Laurie blathering


Tipping Point’s Business Model

One of the great things about Shmoocon is that I get to hang out with my fellow Shmoo, who have extremely diverse backgrounds and interests (errr, given that we’re all obsessed with security, that is). So, last night, at the Shmoo decompression, several of us were discussing responsible disclosure, and in particular the business model of companies that buy exploits, such as Tipping Point.

I’ve always been somewhat uncomfortable about organisations like CERT or NISCC, which don’t actually pay for exploits, but nevertheless are in the business of encouraging people to give exploits to them first. Once they have the exploits they first give them to “critical” stakeholders, and, later, the rest of the world gets to hear about them.

Tipping Point and friends simply take this model and commercialise it: pay the exploit writer for the exploit, then sell it to your subscribers. For a lot of money. But don’t make the mistake of thinking CERT or NISCC are not in it for the money – they are, of course, but in their case its called “budget” instead of “profit”.

So, what’s wrong with this picture? Well, my original objection to CERT and NISCC was that they obviously have to choose who gets the early announcements, and there’s no fair way to do that. Even worse, if you’re going to claim to protect criticial infrastructure, then you have to include the vendors who supply that infrastructure. Of course, these vendors then get to exploit that information commercially – it gives them an edge on their competitors. And since you don’t get to supply criticial infrastructure unless you are huge, this creates an artificial bias towards huge companies.

Is commercialisation any better? Well, at least its a little more honest: anyone with enough money can play, not merely those who are best at shmoozing. But it still biases towards the well-heeled.

However, that’s not the worst of it, and this is what became clear to me last night. What’s worse is that many of those subscribed to these early announcement services have an interest in using these exploits. In the case of the CERT/NISCC model it will be the military and TLAs that will be in the market for useful exploits. Of course, they will still have access in the commercial cases, perhaps even at reduced rates (never hurts to keep the government happy, right?) – but worse still, commercialisation of the exploit market gives easy access to criminals (I’m sure that some do even in the CERT/NISCC model, but it must be harder to get that than by simply forking out money).

Of course, this is not a good place to be. Is there anything to be done? I think so, but more on that later.

I don’t mean to single out Tipping Point particularly, they just happen to be the first I thought of. If people send me links to others I’ll compile a comprehensive list.

8 Comments

  1. Hi Ben,

    Great post, though I feel CERT cannot catch-up these days 🙂 In my opinion, the commercialization of vulnerabiilty research would
    end up a tricky game of ethics for everyone, what do you think?

    I once had a chat with Dave Endler from TippingPoing, you can find at my original post :

    http://ddanchev.blogspot.com/2005/12/0bay-how-realistic-is-market-for.html

    Cheers,
    Dancho

    Comment by Dancho Danchev — 16 Jan 2006 @ 19:16

  2. I think I’ve said what I think!

    Comment by Ben — 17 Jan 2006 @ 13:29

  3. Hubba hubba!

    But really now, is money more honest that shmooze? By candle light it’s hard to say.

    Comment by Ben Hyde — 18 Jan 2006 @ 5:19

  4. It’s all about how you feel the morning after.

    Comment by cat — 18 Jan 2006 @ 15:31

  5. […] A long time ago, I wrote about Tipping Point and friends, whose business is selling exploits. Today I read that Underground hackers are hawking zero-day exploits for Microsoft’s new Windows Vista operating system at $50,000 a pop, according to computer security researchers at Trend Micro. […]

    Pingback by Links » Will The Real Hacker Please Stand Up? — 28 Dec 2006 @ 12:56

  6. […] wails Terri Forslof of zero-day vendor, TippingPoint. I don’t know, Terri, but I’ve been wondering how you figure that out for some time. Companies like TippingPoint and VeriSign’s iDefense both pass along details of vulnerabilities they buy to the affected software vendors, and both withhold public disclosure of the flaws until the vendor has shipped a “patch” to plug the security holes. […]

    Pingback by Links » Hypocrisy in the Exploit Market — 13 Jul 2007 @ 15:36

  7. […] wails Terri Forslof of zero-day vendor, TippingPoint. I don’t know, Terri, but I’ve been wondering how you figure that out for some time. Companies like TippingPoint and VeriSign’s iDefense both pass along details of vulnerabilities they buy to the affected software vendors, and both withhold public disclosure of the flaws until the vendor has shipped a “patch” to plug the security holes. […]

    Pingback by Ben Laurie: Hypocrisy in the Exploit Market | Server software — 13 Jul 2007 @ 19:28

  8. […] years after I first blogged about it, the EFF have decided that selling 0days may not be so […]

    Pingback by Links » EFF Finally Notice 0day Market — 3 Apr 2012 @ 13:37

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress