Wednesday29 March 2023

Are Security Researchers Sitting on Vulnerabilities to Get the Most Money?

Reading time is around minutes.

A couple of days ago we posted a story about a group of developers that complained to Valve about their lack of a Bug Bounty. In their complaint was an inference that having a form of reward would make people want to identify and report bugs and exploits in a timely manner. On the surface that would seem to make sense, but there is a flip side to this line of thinking. There will also be times when people will wait to report something to ensure they get the most money out of their efforts.

As an example security research company VUPEN decided to sit on a critical exploit for three years just so they could use it during a Pwn2Own contest and cash in on it. The flaw in question affected multiple versions of Internet Explorer (8-11) and could allow attackers to break out of the protected mode sandbox. The delay in reporting the bug is not the longest on record, but it is interesting to note the reasons for the delay.

It is important to note that most companies do have rules about public disclosure which would include uses at competitions like Pwn2Own. Many of these have a hard set window at 90 days after a bug is reported to the company. In some cases this extends to 90-days after a fix is found and pushed out. The latter is becoming more common as corporations seek to keep the most critical vulnerabilities private for as long as possible.

In many ways we can understand the required delay as it can help to prevent malicious individuals from using the bug while a fix is found. On the other hand it is also possible that the exploit is already in use in the wild and any delay in reporting or identifying a work around allows more systems to be compromised. After all the “bad guys” do not have a vested interest in letting anyone know about an attack vector.

Considering the rise in the number of reported vulnerabilities last year, 6787, we are starting to wonder if developers are getting less imaginative or just ignoring some very basic security concepts. After all buffer overflows account for almost 25% of all reported vulnerabilities and that has been going on for well over 25 years. You would think that someone would have noticed this and found proper methods of mitigating this attack.

Getting back to the issue of intentionally delaying the reporting of a critical bug, maybe there should be a penalty for a lack of timely reporting. If researchers are motivated by money, well then dock them for any unreasonable delay in reporting the flaws. Maybe that will get them to think about the impact of the delay for financial gain…

Tell is what you think in our Forum

Last modified on Thursday, 24 July 2014 06:46

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.