Marc Maiffret, a security researcher known for his controversial opinions on software security and his efforts to get Microsoft specifically to improve the security of its products, is returning to eEye Digital Security, the vulnerability management company he helped found more than a decade ago. After several years away from the security game and a short stint with anti-malware vendor FireEye, Maiffret said that he was eager to get back into the research game, which has changed dramatically since his early days at eEye.
I spoke with Maiffret recently about his decision to move back to eEye and the ways in which research, disclosure and remediation have changed in the last 10 years.
Fisher: Why did you decide to go back to eEye now? You’ve been gone for a while.
Maiffret: Everything just sort of clicked. I met some of the curent management team and it definitely clicked and the importance of research to the company and the room for innovation in vulnerability research was there. It was good timing. My heart’s always been with the company, so I’m more than excited to get back. eEye was this crazy train ride and the last few years have been great to step back and try different things and get some perspective on what’s important. Everything lined up and made a lot of sense. This is a really exciting thing for me and I’m ready to pull a Steve Jobs and get back into it.
Fisher: Your first time around at eEye you guys were known as kind of the researchers who didn’t mind annoying the vendors by going full disclosure or going to the press to get a vulnerability addressed. The climate has changed a bit since then.
Maiffret: Yeah, it was reflective of the industry in general at the time. There were definitely other companies doing it at the time, but a lot of those companies don’t do it anymore because the threat landscape has changed. It’s a losing battle. Our focus was on Microsoft and we were a driver to get them to take things more seriously. It was very successful, but things are different now. Companies like Microsoft get it. They’re showing what an enterprise software company can do in that respect. Our focus now is on trying to educate customers on the bigger trends and changes in what’s happening. When you look at stuff in the vulnerability space, reacting to that is a losing battle. Now it’s about research in terms of what’s working for people. We have great visibility into what’s going on with customers. We can tell what’s real. Not everything that seems like a crazy critical vulnerability is.
Fisher: So do you still think there’s any value in vulnerability research?
Maiffret: Yeah, for sure. You’ll see some classic eEye research from us. But now it’s about how can research fuel change within the community and within IT. That’s always been our focus, that’s been our main goal, to fight for IT. And whether that’s having an unpopular opinion or speaking out against some of the largest of the large software companies, so be it. But I don’t think that you can say that pouring a lot of resources into finding vulnerabilities has the best impact. A lot of it is how do we get ahead of the attackers. That’s where a lot of our focus is.
Fisher: How do you feel about the organizations that now buy vulnerabilities from researchers? Is that something you guys would get into?
Maiffret: I don’t think so. For us, it’s about doing the work ourselves and showing that value to our customers. But there’s a balance that needs to be met. Microsoft has made major improvements in securing their technology. Everyone can agree there’s still room for improvement on third parties discovering vulnerabilities. It’s correct that independent researchers need something more than a one-line acknowledgement. That’s not enough for them to spend four months on a vulnerability, then have to prove it to the vendor and do a lot of the work for them. What Microsoft and others are concerned about is it turning into a ransom situation, but I don’t see that. This is an important thing. There’s not enough dialogue between the researchers and Microsoft or other vendors. They’re not really talking. It’s just as much Microsoft as the researchers. The researchers never say what Microsoft can do to make them happy. That hasn’t happened yet. It’s crucial because there was a significant number of guys responsibly reporting to Microsoft. And now they’re not because they’re being sold to defense contractors or underground buyers or whatever. Microsoft and Adobe and the other, it’s in their best interest to see how they can get these vulnerabilities off the street.
Fisher: So then you end up with researchers who get killed for disclosing a flaw, and then they go away and don’t do it publicly anymore and everyone kind of loses.
Maiffret: I think it was bubbling below the surface for a long time. Tavis [Ormandy] is truly a classical security researcher. He seems like he just loves doing it and does what he believes is right. Obviously, the way it all went down, he and others are unhappy on both sides. There hasn’t been a conversation on what’s the middle ground. Typically when you report a vulnerability, it takes an insanely long amount of time to be resolved and it doesn’t have to take that long. You’re putting people at risk. But what’s the alternative? Why should it take two or three months? A lot of the researchers are looking for an agreed upon time frame. Three months is a good general time frame. But when researchers don’t do exactly what the vendor thinks is right, they get painted as this terrible person and the vendor tries to make them look bad. We’re not OK with waiting indefinitely because that’s not in anyone’s best interests. It should be up to the researcher to do whatever they think is right, including releasing the information without a patch. There should be some agreement on that. But the dialogue hasn’t even begun.