Bug hunting start-up: Pay up, or feel the pain

An upstart security research firm with a controversial business model is at the center of a debate over how software bugs should be disclosed.

Vulnerability Discovery and Analysis (VDA) Labs, founded in April by Jared DeMott, notifies software vendors of security bugs found in their software, as do many other security researchers.

But as part of VDA's business model, vendors are asked to pay for the bugs it discovers, or its consulting services, otherwise VDA threatens to sell the bug to a third party or make the details of the security flaw public.

DeMott, who has done work for the National Security Agency among other places, describes his business model as "edgy," while other security researchers see it as more akin to "extortion." The practice, in either case, veers from the more traditional ways bug hunters have worked with software vendors and security firms.

Just two weeks ago, LinkedIn, the popular social-networking site, got a taste of VDA's business practices, when the Michigan security company claimed it had found a critical security flaw in the LinkedIn Internet Explorer Toolbar.

"We've discovered an attack against the LinkedIn toolbar. If you are interested in the bug, we would like to give first right of refusal to purchase it. We'd also like to perform a more complete security audit of your products. We can help make the LinkedIn products more secure," DeMott stated in e-mail sent to LinkedIn on July 10, as viewed by CNET News.com.

The e-mail continues: "If you wouldn't like to buy it then we are happy to resell or release as a full disclosure to help prevent security issues arising on end users servers. We strongly believe in keeping users safe. We are unique in that we give vendors a first chance at the bugs we discover rather than selling to a third-party or releasing publicly. Please find the VDA Labs Value add document attached. If you'd like to buy the bug we will provide working attack code, so that you can verify the bug, before you send the check."

VDA set a deadline of July 17 and requested a payment of $5,000.

After failing to receive a response from LinkedIn, DeMott sent two e-mails on the eve of the deadline. One served as a reminder that the deadline was looming, and the other stated the price had increased to $10,000.

"Just developed the attack into a working exploit ($10K) now. Call me," DeMott wrote in the e-mail.

"I think this is extortion, particularly if he threatens to release the bug publicly if he's not paid. You should not hold a bug hostage."

--Johannes Ullrich, chief research officer for the Sans Institute

Two days after the deadline passed and details of the security flaw and how to exploit it were published, DeMott sent another e-mail to LinkedIn.

"So, if your company policy is to not buy bug reports, would you be willing to sign up for consulting (with VDA) then? We could include this bug as part of the final report. I really just had to irresponsibly release this exploit," DeMott said in the e-mail.

LinkedIn declined to comment. The company has since patched the exploit identified by VDA.

DeMott, who confirmed he sent the e-mails, defended his company's business practices and noted it's done to protect users by issuing them a heads-up, and by prompting vendors to take action to patch the flaw.

He also pointed to the VDA Value document, which outlines his company's services and pricing.

"Our business model is a little edgy, but we never saw it as extortion or thought of it that way," DeMott said. "We wanted to do something that would really grab the vendor. The vendors don't make money patching products. They're more interested in selling products. We were afraid they would try to put us on the back burner."

Some software companies, for example, do not work with security researchers as a matter of policy, and only act on vulnerabilities if flagged by their customers.

Other security researchers are critical of VDA's business model.

"Anytime you have someone saying they have this, and that unless you give them money, they'll do that, that's extortion," said Frederick Doyle, director of VeriSign/iDefense Research Lab and a former police officer in the state of New York.

Johannes Ullrich, chief research officer for the Sans Institute, expressed similar sentiments.

"I think this is extortion, particularly if he threatens to release the bug publicly if he's not paid," Ullrich said. "You should not hold a bug hostage."

VDA is not alone in its business practices, said Terri Forslof, manager of Security Response for Tipping Point, which is owned by 3Com.

Forslof, who previously worked as security program manager for the Microsoft Security Response Center, said she came across similar situations about a dozen times during her stint at the software giant between 2000 to 2005.

[gravityfactory]

VDA

Can anyone say racketeering? Not surprised he worked for the NSA. VDA not doubt will be gone once they email the wrong target.

[SeizeCTRL]

Agreed

Very shady practice indeed.

Although I agree that bug hunters who discover critical flaws in software and systems should be compensated for their work, the means in which VDA goes about it's business seems like something out of a bad Mafia type movie.

[smilin:)]

Shame

Instead of an email why dont they just send a video in of a man in a black ski mask saying you have 10 days to give me $5000 or I'll release these pictures to the public.

What is the difference?

[ordaj]

Extortion? C'mon. Extortion is

having a monopoly product that is defective and riddled with bugs and then charging people for protection after you've released it. Flaws and all. Can you say Microsoft security products?

The fact is, software companies will release half-baked products and shoddy products because they can. All teh economic incentive is built in releasing unfinished product. Someone has to put the incentive back in for them to fix and clean up their products BEFORE they're released.

[wmorriss]

Brazen

The email he sent after releasing the exploit is one of the most incredible displays of chutzpah I have ever seen. Honestely: telling someone that you had to damage their business because they wouldn't pay up, then offering them consulting services is something that wouldn't even have occurred to me. It seems akin trashing their car then offering a deal on bus tokens.

That having been said, offering exploits for a fee seems like a perfectly legitimate transaction to propose. After all, the knowledge of the exploit has value, and the public benefits when there is an incentive to find them so they can be fixed. I'm just not impressed with the methods used in this case.

[torystark]

rude yes illegal no

isn't this the same thing antivirus programs do
buy for $60 then pay $20 monthly or it will let viruses eat your comp

[WildSignals]

The exploit is not worth $10000

I looked at the code. It just looks like it's tracking some info about the browser capabilities via a querystring on a GIF request. Invasive? Yes. Worth 10 grand, uh... no.

Or am I missing something in the JS code?

[WildSignals]

To clarify why it's not worth 10K

LinkedIn would see the info the script collecting as a potential privacy threat, but not one that would threaten the business. The script is collecting client stats in the same manner most reporting tools for web servers do. In fact, the script might have been borrowed from one of those. It is limited to the DOM objects that JavaScript has access to in the browser. Screen height... oooooo. Do you have Java? OOOOOOO. Easy to shut this down.

A good programmer at LinkedIn could find it, patch it, and test it in an hour. Unless that person is making $5000-$10000 per hour, I agree with LinkedIn's decision.

[jeroneanderson]

VDA should be sued for this type of practice...

This type of practice by VDA definitely looks like extortion. If I find a company like Microsoft or others make crappy software and does not test their programs for bugs I will no buy them anymore. I really don't want the software industry being regulated by extortion schemes which threaten to release dangerous code if the extortionist is not compensated. A company who is treated in this way by VDA has every right to sue VDA in my opinion.

[chuchucuhi]

two ways to see

I see this from the feeling of extortion but I also see it as someone who is frustrated with the lack of severity companies put on fixing their software. It's funny because most people here would barrage hate comments on a company who took a lax standpoint on fixing bugs in their software. This is almost akin to a bounty hunter going after a criminal and though you don't agree with their practices they certainly accomplished something others did not. If the only thing a software company understands is money and nothing of their own image or reputation then maybe they do deserve that type of business model/behavior to beleaguer them. Though this is certainly a more renegade behavior I am sure the "business model" will have to change into something a little less edgy over time as I am sure the eventual lawsuits will wear them down.

[wbenton]

Electronic Ransom!

Holding a company hostage for a sum of money.

Forcing them to pay to gain access to the flaws which are inherient in their software.

Threatening to go public if they don't ransom up!

Sad news if you ask me... but the problem lies not so much in their tactics as it does in the fact that it doesn't currently pay very much to divulge security flaws to the manufacturer.

Thus I understand the concept of trying to make that a more profitable solution... but the tactics stink to high heaven.

Walt

[slickuser]

extortion!!!

This is 100% extortion!. Look at the language VDA has used in their emails! There is a limit to amount of testing a software developer/company can do. They do their best and release the product. Big companies can afford to put more resources on testing but still the product will not be 100% bug free!

I am surprised why LinkedIn did not sue VDA! They should! I bet VDA would run for their life if sued!

[gggg sssss]

only

extortion if they say "if you dont pay WE will release the attack code for gain against users."

Sharing knowledge on bugs is not a bad thing. Too bad someone did not share knowlede about the bad state of repair (bugs) of the bridge that collapsed.

[gerardogerardo80]

Write good software or pay a fine! Excellent!

They deserve it, selling software full of bugs, make millions then consumers pay for their mistakes, and not just that, have a monopoly control the market, and year after year keep on saying that the next version is going to be good and then come out with another piece of junk.

If you drive over the speed limit you get a ticket, makes sense to fine the sloppy software maker. Why should they get the feed back for free.

[AAPLBigot]

This is the criminal defintion of blackmail

This business model is the legal definition of blackmail, a form
of extortion:

http://dictionary.law.com/definition2.asp?
selected=75&bold=|||| says:
blackmail
n. the crime of threatening to reveal embarrassing, disgraceful
or damaging facts (or rumors) about a person to the public,
family, spouse or associates unless paid off to not carry out the
threat. It is one form of extortion (which may include other
threats such as physical harm or damage to property).
See also: extortion

http://www.lectlaw.com/def/b105.htm says: BLACKMAIL - A
criminal act of extortion, malicious threatening to do injury to
another to compel him to do an act against his will. Usually
involves the threat to release information, often true, about the
person that will defame his reputation or bring criminal actions
against him.

The criminality lies not in the release of the information - at
least if true - but in the extortionate aspects of the threat to do
so.

In fact, this business model may also violate Federal RICO (anti-
racketeering) regulations.

I see no difference between VDA's actions and that of the Mafia.

Anyone presented with a threat by this company should contact
their local FBI field office: http://www.fbi.gov/contact/fo/fo.htm

[slickuser]

Sue their A@* off!

Yeah! Take action against VDA! Sue their a^* off!!!

[Joe Real]

Why not patent the bugs and the bug fixes?

For those companies who don't want to pay up, why not patent the bug fixes as well? At least the non-paying companies will now have pay for the royalties of bug fixes. Patent trolls work exactly like that and has been very effective.

[chuck_whealton]

This is really troubling

The courts really need to look at this one. This strikes me as a less than legitimate way to do business.

Charles R. Whealton
Charles Whealton @ pleasedontspam.com