The Hacker Economy (1)

Last week at the RSA Security Conference, several interesting workshops explored aspects of criminal hacking. One of them, conducted by Charlie Miller, examined the incentives for finding and disclosing vulnerabilities in enterprise software.

Imagine you are a Romanian software engineer with time on your hands, and you are able to find an unpatched vulnerability in an enterprise software program. The good news is that you can sell the information about the vulnerability for several times your monthly salary.

The bad news, for almost everyone else, is that you can get much more for it on the black market than from the two other legitimate buyers. Neither the manufacturer nor legitimate firms such as iDefense and Tipping Point, who package vulnerabilities for testing use by corporate computer security departments, will pay as much.

Tipping Point's Zero Day Initiative encourages vendors to patch their software via transparency. One of the pages, Upcoming Advisories, provides a list of known, unpatched vulnerabilities from major vendors. The vendors have been notified but have not issued a patch.

A recent look showed 34 "high severity" vulnerabilites that have been pending for over 8 months on average since Tipping Point notified the vendors. Obviously, room for improvement! We'll talk more about why vendors are slow in a later post.