Buy and Tell: TippingPoint to Disclose Purchased Flaws

A security company that pays hackers for information on software flaws and exploits plans to release a list of 29 unpatched flaws in products sold by a host of big-name vendors, including Microsoft, IBM, Apple Computer and Novell.

The Aug. 28 disclosure from TippingPoint's ZDI (Zero Day Initiative) flaw bounty program is a significant change to the way the 3Com-owned company handles the disclosure of vulnerability data it buys from external researchers.

Instead of waiting for software makers to issue patches, TippingPoint will announce the flaw purchase in bare-bones advisories at the time the issue is reported to the vendor.

Dave Endler, director of research at TippingPoint, in Austin, Texas, said the list of 29 includes six bugs affecting Microsoft; three affecting Novell; two each for products sold by IBM and Apple; and one each affecting AOL, Adobe and Sun Microsystems.

Click here to read more about the sale of the WMF exploit on the underground market.

"We're not identifying the software or product versions. We're simply naming the vendor, the date the issue was reported and the severity of the vulnerability," Endler said in an interview with eWEEK.

In the first year since ZDI started shopping for flaws, Endler said the company has fielded submissions from hundreds of hackers, culminating in 30 published post-patch bulletins. TippingPoint has been credited with finding nine vulnerabilities patched in the last three Microsoft Patch Tuesdays, he said.

With the new disclosure policy, Endler said he believes TippingPoint can serve as an industry "watchdog" against companies that drag their feet when software vulnerabilities are reported.

"We can use this to apply some pressure on some vendors. Some, like Microsoft, are very diligent about responding, but there are others that take six months or more to get a fix ready. After you've passed the six-month timeline, there's a good chance someone else will find [the vulnerability] and it might not be someone responsible," he said.

Click here to read more about a price war in the flaw bounty market.

In addition to ZDI, TippingPoint has a team of internal researchers that also discovers and reports security bugs to vendors. So far this year, staff researchers have found 10 vulnerabilities that resulted in patches, and six more in the disclosure pipeline are affecting AOL, Apple, IBM, Computer Associates and Crystal Reports.

According to VeriSign's iDefense, which also buys data on flaws and exploits from external hackers, it has no plans to preannounce its purchases. "What's the benefit of doing that? It seems to be something that's driven by marketing," said Joseph Payne, vice president of iDefense.

Payne suggested that TippingPoint's move could point malicious hackers in a certain direction and put certain vulnerable applications at risk. "If you tell the research community that you have found something in a certain application, you can be sure they will all start looking for it. We've seen this in the past with the WMF [Windows Metafile] issue and the recent problems with Microsoft Office," Payne said in an interview with eWEEK.

Paying for flaws has been paying off for iDefense. Click here to read more.

TippingPoint's Endler dismissed such a suggestion, making it clear that his company will only provide the name of the vendor and won't be providing any details that might pinpoint the affected product or the cause of the vulnerability.

iDefense itself has used quarterly challenges to point hackers at specific vendors and applications. In February 2006, the company offered a $10,000 reward to any hacker who found a critical worm hole in a Microsoft product, and eventually paid a single, anonymous researcher the bounty.

Earlier in August, iDefense trained its sights on serious holes in Web browsers, offering a new $10,000 prize to any hacker who can find a remotely exploitable code execution hole in Microsoft Internet Explorer or Mozilla's Firefox.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

According to Payne, the hacking challenges help to ensure that serious software bugs are disclosed responsibly to affected vendors. "At the height of the WMF issue, that flaw was traded in the underground community and caused a lot of damage to our customers. If we can keep those flaws away from black hats, we are doing a service to the industry," he said.

He pointed out that the WMF exploit code was sold by Russian hacker groups for $4,000 a pop long before the attacks of December 2005.

"We wanted to flush these kinds of exploits out and make sure they are given to the vendor in a responsible way," Payne said, stressing that iDefense works very closely with all vendors to make sure patches are shipped before any information is publicly posted.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's Weblog.

Copyright © 2006 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.