Gartner Research, and representatives from McAfee and Secure Computing expressed outrage over 3Com’s TippingPoint paying $10,000 for a QuickTime hack.
|Unhappiness Abounds Over Pay For Mac Hack|
When we chatted with Paul Henry from Secure Computing recently, he mentioned the Mac hack that took place at a security conference, CanSecWest. He was critical of the contest sponsored by the conference and financed by TippingPoint, which paid a ten grand bounty to researcher Dino Dai Zovi for finding a previously unknown critical vulnerability in Apple’s QuickTime software.
What compounded the problem in the eyes of observers was TippingPoint’s follow-up actions.
(UPDATE!: We heard from a 3Com/TippingPoint spokesperson who clarified their process, which we had been told involved patching TippingPoint customers first before reporting the vulnerability to Apple: “The above statement is not correct, and does not represent the practices of the Zero Day Initiative. Signatures are never released to our customers prior to vendor notification. We first notify the vendor- always- and then follow up either that same day or often that week with updated filter sets to our customers. Never have we first protected our customers and then notified the vendor. That would be contrary to our responsible disclosure practices.
“We did not withhold the details about the vulnerability from Apple. Had we done so, Apple wouldn’t have been able to patch the vulnerability in a week. Contrary, we gave the full details of the vulnerability to Apple within 30 minutes of purchasing it from the researcher Dino. The 30 minute delay was due only to the time it took to put everything together, address it to “email@example.com” and hit “Send”.”)
McAfee researcher Rahul Kashyap blogged about his company’s criticism of the chain of events. “As security vendors, our mission is to protect our customers and the internet community at-large, not to create hype and FUD by giving the world a chance to exploit unpatched flaws!!” he wrote.
Research analysts from Gartner also criticized the contest. Their remarks appeared in SC Magazine, where they called such contests “risky endeavors” and suggested ending them.
A TippingPoint representative cited in the same report defended her company’s practice. By purchasing the QuickTime vulnerability from the person who found it, the details of the crack could be kept between TippingPoint and Apple.
It can be said that the discovery of what proved to be a highly critical problem with QuickTime prompted a much faster and safer patch cycle than if it had been discovered by independent, or even criminal, researchers. Where is the best place for a researcher with a newly found exploit to go – to TippingPoint for a bounty, where the flaw will likely stay under wraps, or to a message board to be sold to the highest bidder, no questions asked?