VANCOUVER–One of the first things we’re taught as kids is that sharing is good. If you have two Chocodiles and Billy has none, you give him one. Sharing once was the norm in the security community–or, more specifically, certain sections of it–as well, but if the atmosphere at the CanSecWest conference this year are any indication, those days are quickly coming to an end.
In past years, the talks delivered at CanSecWest were among the more relentlessly technical presentations you’d see at any conference. New exploitation techniques, fuzzing methods and tool releases were the norm and security officials from Microsoft, Google, Apple and other companies hovered around wondering which of their products would wind up being dissected in one of the talks. Sometimes, it was all of the above.
But things have changed, and it’s not clear exactly why that is. This isn’t to say that the quality of the speakers or the talks has dropped; that’s certainly not the case. In fact, they’re as good as ever. It’s more a feeling that, in the current climate, researchers are less willing to share everything they know with the wider community. It may be the case that, as it was decades ago, top-level offensive security research is being pushed underground again.
Today’s climate is unlike anything that’s been seen in the security world in recent memory. There’s public dissatisfaction with the way that offensive research is conducted and disseminated, while at the same time there is more demand for that research than ever before. Researchers who once had severely limited options for what do with their work, now have a wide range of choices. At one time it was either go public, disclose it to the vendor or, if you had the contacts, sell it on the black market. These days, a talented researcher or exploit writer might consider those three options only as last resorts.
The public and private markets that have emerged for vulnerabilities in the last few years have opened up huge opportunities for researchers, not just in terms of options, but also in terms of making serious money. Consider the two hacking contests here this week, TippingPoint’s Pwn2Own and Google’s new Pwnium. As part of Pwn2Own the contestants don’t have to disclose their exploitation techniques or anything other than the details of the crash that led to the vulnerability. That’s attractive to folks who want to retain some of the IP for the work they’ve done finding and exploiting the bugs they’re using.
VUPEN, which arrived at the contest this year with ready-made zero days for each of the major browsers, is competing in Pwn2Own, where the top prize is $60,000. To win that, they may need to use several bugs, but the first one they chose to use was in Google Chrome. They’re not, however, participating in Pwnium, where the rules are slightly different. In Google’s contest, participants must relinquish the details of the vulnerability as well as the exploit. However, there is practically no limit on the amount of money that a researcher can earn, as Google has committed $1 million to the contest. Only one researcher has been successful in hacking Chrome thus far, but he earned $60,000 for his trouble and his exploit.
So, VUPEN could have earned exactly the same reward from Google for its one Chrome bug that it might win from Pwn2Own. But, the difference is that they don’t have to give up their exploit and sandbox escape to Google now. Google can still patch the bug that VUPEN used, but it won’t have the details of how it was exploited. And VUPEN can continue to use that technique in other instances.
The money at stake in these contests is for real, but it’s relatively small when compared to the cash that’s available in private bug sales. Stories of researchers selling vulnerabilities to defense contractors and government agencies for six figures have been circulating for years now, and few researcher ever confirm them. But those sales are happening for sure, and for the researchers who do the work and find a willing buyer, it’s hard to argue that they shouldn’t make the sale. On a purely financial level, making a year’s salary in one sale is virtually impossible to turn down.
Arguments will continue to rage about the ethics of these sales, and it’s an un-winnable fight regardless of which side you’re on. The fact is that money talks, and there’s a lot of it available to those who know where to find it. That likely will increase in the coming years as governments and other buyers ramp up their offensive capabilities and the demand for high-level bugs and exploits continues to rise.
Whether that state of affairs is good for the general public is debatable, but that looks like the direction we’re headed.