NEWS Security experts have hit out at US firm Immunity Inc, which provides paid-up members with vulnerability information under non-disclosure agreements (NDA), which it subsequently keeps from vendors and the world at large.
A silicon.com article last week revealed Immunity and its founder Dave Aitel have been causing a stir in the security world in recent months with a business model branded "unethical" but entirely above-board.
The greatest source of growing concern appears to focus on the NDA and the potential for anybody to sign up and pay the price for notification of vulnerabilities.
One rival bug finder, who operates along the more traditional lines of informing the affected vendor of the flaw in its product and working with them to patch it before releasing any details of the vulnerability, has hit out at Immunity Inc.
Drew Copley, senior research engineer at eEye Digital Security, told silicon.com the situation of signing members to a non-disclosure agreement in return for information on security vulnerabilities is "extremely unethical".
"What are these people missing here?" asked Copley. "Are they crazy? What prevents any organised criminal group or criminal from getting on there and signing a NDA?"
"We treat security vulnerabilities that are not fixed yet by the vendor as state secrets. Selling them to anyone who would pose as a company or sign a NDA is highly unethical."
Copley said even "total disclosure", whereby everybody – vendors, researchers and the general public alike - is given the information at the same time would be preferable.
eEye was last week credited for working with Computer Associates to fix flaws in CA's licensing software.
Simon Perry, VP security strategy at CA, told silicon.com: "Knowledge cannot be effectively controlled. NDAs in the IT community as a whole are not taken seriously and there do not appear to be adequate controls to ensure that the information does not leak to those who have an interest in creating a dangerous exploit."
"The business model deliberately creates a culture of the security haves, and the security have-nots. It does not improve security overall," he added.
Perry also questioned whether Aitel's customers are getting value for money. Because vendors are kept out of the loop, flaws go un-patched while Immunity's customers are given a workaround.
"You're given a workaround by Immunity, but you don't have a fix – a patch from the vendor that permanently addresses the problem. The door is closed, but it's not locked shut."
Comments
There are 4 comments. Join the discussion
1. James Button
Verrry interesting -
If Microsoft sign up for this information, then the NDA means they will not be able to tell any of us about any of these problems.
Does that give them a get-out for not telling the users of their software.
Or - will they be suing Immunity Inc for breaching the terms of the Microsoft Licence.
(For 'Microsoft' in the above, you can substitute the name of any software, - or appropriate hardware manufacturer)
2. bc90021
This article misses one important fact, and I can't help but wonder if it was left out on purpose (so as to create a stir). Those people signing the NDA also have to pay a minimum of $50,000 to be in the club in the first place. That puts it out of the reach of all but the really determined clients, who could be bad or good. But the bad guys can just as easily investigate the bugs themselves anyway, so in reality it allows for the good guys, who might not have the same amount of time, to break even or get a leg up.
3. anonymous
Or maybe software companies could pay to do their own security QA instead of expecting the security community to do it for free??? Dave's VSC is $100k a year right? That's less than the cost of one decent QA engineer.
4. jared
re: verrry intersting
MS already has 'an out' with regard to vulnerability notification: their own End User License Agreements. They're not financially obligated to release that information, because they're not financially liable when one of their bugs leads to destruction or theft of your data.
By creating a market for vulnerabilities, VSCs put a small amount of financial pressure on vendors to properly QA their "enterprise quality" product offerings. Or, in another light, they're putting pressure on the market to change the working definition of "enterprise quality."
The current market is forcing companies to run their businesses on software they can't afford to completely understand, but for which software vendors generally aren't liable when attacks occur. The available solutions range in popularity:
a) stick with the status quo, because software companies have demonstrated their newfound "seriousness' with respect to security...surprisingly popular, if this article is any indication.
b) break out the hammer of Congress to make software companies liable for vulnerabilities...popular, because many more people understand how to sue than understand how to find and fix software vulnerabilities.
c) create a market capable of supporting vulnerability research of a quality that software vendors aren't currently interested in performing themselves...popularity TBD. :)