Bug Bounties Uncover 1 in 4 Microsoft Flaws

Nearly a quarter of the vulnerabilities patched by Microsoft on Tuesday were discovered by researchers paid bounties by a pair of security companies, one of the vendors said Thursday.

Of the 21 flaws fixed by the 12 security updates issued Tuesday, 5 were credited to bug bounty programs run by Reston, Va.-based VeriSign iDefense and Austin, Texas-based 3com TippingPoint.

"It was really interesting to look at the overall bulletins Tuesday," said Mike Sutton, the director of VeriSign iDefense Labs. "The market is changing, and people are recognizing that there is value in vulnerabilities."

iDefense was credited by Microsoft with submitting 4 of the 21 vulnerabilities, but only 3 came from its Vulnerability Contributor Program (VCP), which debuted in 2005. The fourth, Sutton said, was found by an iDefense researcher.

Two others, meanwhile, came from TippingPoint's rival Zero Day Initiative (ZDI).One of the vulnerabilities that originated from iDefense's VCP was of special note, since it was the first that brought home the bacon from the company's quarterly challenge. In February, iDefense announced that it would pay an additional $10,000 bounty for any Windows vulnerability that subsequently was marked as "critical" by Microsoft.

A Internet Explorer bug in the parsing of ART image files (which are used by AOL's Web sites and services) met that criteria, Sutton said, and the anonymous researcher has been paid his $10,000.

The challenge, now in its second quarter, will continue, Sutton said, pointing out that this month's tally shows paying for bugs is a good idea. Until June 30 iDefense is paying extra for database vulnerabilities; the company hasn't set the target for the third quarter.

"No vendor wants vulnerabilities in their software, but most will tell you that unfortunately they're a reality of development," said Sutton. "Economics is economics. We're fooling ourselves is we think that vulnerabilities have no value.

"They have value to customers, who want to be patched; they have value to vendors, who want to fix their software and avoid negative publicity. And they have value to the underground."The iDefense and TippingPoint programs have been controversial from the start. Some security researchers have accused the bounty plans for blurring the line between legitimate and criminal vulnerability research. Others have said it creates a black market for bugs.

"I don't fell that we're driving up the value of vulnerabilities any more than any other party. These things are valuable, and if the underground's going to bid up the price, they're going to do it amongst themselves," countered Sutton.

"Vulnerability researchers have a very specialized skill set," he argued. And some may be swayed by offers from immoral sources. But they need to put food on the table, too. So while keeping vulnerabilities 'off the streets' wasn't a stated goal of VCP, it's a great benefit."

Although the only vendor that publicly pays for vulnerabilities is Mozilla Corp. -- it has a $500 bounty on bugs in its open-source software -- Sutton won't be surprised if others join it.

"Historically, vendors didn't have to compete for vulnerability information, but I do believe at some point we'll see others move that way," said Sutton."Microsoft already does offer a bounty in an indirect way," he said as he pointed out the $250,000 rewards that Microsoft's posted in the past for the arrest of the creators of major malware, including 2003's MSBlast and Sobig, and 2004's MyDoom.

"Why not start a program to get the vulnerabilities out of the market in the first place, before they're used to create a worm?" Sutton asked.