Rob LemosBy any measure, Luigi Auriemma is a prolific vulnerability researcher. In the first ten months of 2011, the pay-for-bugs program Zero Day Initiative credited Auriemma with discovering 30 vulnerabilities, ranging from issues in Sybase enterprise software to Adobe Shockwave to Apple Quicktime. In its Upcoming Advisories section, ZDI listed Auriemma with finding another 35 vulnerabilities that still await fixes from their developers. The vulnerability researcher, who has made his name in part by finding SCADA bugs, is not yet ready to leave his day job. Despite ZDI’s bonus system, his independent research is not a career, he says.

“Vulnerability research is just a secondary thing, so sometimes I dedicate my time to it while other times I don’t touch it for days or even weeks,” Auriemma explains. “This is a good thing for occasional researchers or for [those] who have found or can find a good source of bugs in software accepted by these companies.”

The researcher’s dilemma highlights a fundamental problem with the economics of vulnerability research: Despite the danger that vulnerabilities pose to companies that rely on the flawed software, information about security issues continues to have only a marginal value to most legitimate companies and has failed to create any reliable source of income for most of the hackers and security professionals focused on finding flaws.

The end result: The disconnect between the value of vulnerability information to criminals and the value to security firms and developers poses a major problem for protecting information systems.

“I think the vendors are guilty for this situation,” Auriemma says. “Why a multi-billion-dollar vendor included in the S&P500 must have a professional security audit for free?”

There are currently 20 programs that reward researchers for finding security flaws or that buy bugs outright. While Google, Mozilla, and Facebook award researchers with rewards from the common $500 honorarium up to $3,000 depending on the criticality, the Zero Day Initiative, started by network security firm TippingPoint and now part of Hewlett-Packard, is the major white market for vulnerabilities. In both 2010 and 2011, ZDI accepted more than 300 reported security flaws. The iDefense Vulnerability Contributor Program, the oldest third-party program to pay for vulnerabilities, bought more than 100 flaws per year at one point, but now averages about 20 issues per year, according to the Open Source Vulnerability Database (OSVDB).

A handful of researchers do well enough with ZDI to make a career of it, says Aaron Portnoy, manager of security research at HP’s DVLabs. The program has paid out almost $3o0,000 to one particular researcher over the lifetime of the initiative, while the top 3 researchers in 2010 made more than $100,000.

“These guys can definitely make a legitimate living off our program,” says Portnoy. “There will always be bugs to find.”

On Wednesday, security firm Secunia announced its own contender. The company’s Vulnerability Reward Program will act as a point of coordination between researchers and software vendors. The company will confirm a researcher’s findings and report the information to the software maker. Researchers will receive small rewards for individual contributions and two more significant bonuses — all-expense paid trips to major conferences — will be awarded to the most valuable researcher and the person who reports the most interesting vulnerability. The program is not designed to compete with HP’s ZDI and iDefense’s VCP and so will not be offering larger sums to researchers, says Carsten Eiram, chief security specialist with Secunia.

“All these program have some business model wrapped around them,” says Eiram. “So they are willing to pay money, but they will only pay if they have some sort of value to their business.”

Because each program focuses on the software products used by the managing company’s customers, bug buyers can go after mutually exclusive vulnerabilities, keeping competition minimal and prices low. Secunia’s service will accept vulnerabilities that the other programs would not, which does not add competition to the market.

“We have gotten requests from researchers to help them coordinate the disclosure,” Eiram says.

Skipping the third-party programs and dealing directly with the vendor has benefits and can sometimes pay more. The price of the average find from ZDI and iDefense is under $2,000, where a critical flaw could get Google’s elite reward, $3,133.70. The programs are worth the time of a researcher, especially if they are just starting to get into code audits and security, says Neal Poole, a computer science major at Brown University. Poole has submitted more than 20 issues to Google and 10 each to Facebook and Mozilla as well as some to CCBill, an e-commerce software maker.

“It’s definitely been worth my time,” he says. “The experience I have gained is valuable.”

Could he make a long-term career out of it? “I feel like I don’t know enough to answer the question,” he says.

Taking research beyond just finding vulnerabilities and creating code to exploit the security issues is one way to make more per vulnerability. Gleg Labs, a Moscow-based security firm, creates collections of code to exploit vulnerabilities in certain classes of systems. Its Agora and SCADA+ module packs include exploits for just-publicized vulnerabilities in Web-based systems and industrial control systems, respectively, and plug into security software maker Immunity’s Canvas penetration-testing tool. The exploit packs sell for thousands of dollars each.

While the company would not answer questions about sales or revenues, it employs multiple researchers and is expanding, according to CEO Yuriy Gurkin.

“For now, we are [doing] well enough with that work, and we evolving,” he says.

Like Gleg, the way forward for vulnerability researcher may be to move onto exploitation or to become a consultant, using the knowledge of vulnerabilities to perform better penetration testing.

Categories: Vulnerabilities

Comments (2)

  1. Anonymous

    Lol, I see you’ve used Luigi Auriemma’s average as a reference for the amount that is paid. 🙂 He gets paid for the amount of work he does, which is nearly none. 😀 (hi luigia) You should interview someone’s who actually does awesome research such as Sami Koivu on how much he earns from the zdi per case. 😉

  2. ormid

    As Bruce Schneier has been proclaiming for years, changing the liability model for (exploited) vulnerabilities would alter this picture in dramatic ways.

Comments are closed.