Endangered Species

12:30 PM -- Free-spirited, full-disclosure indie security researchers are becoming scarce.

It shouldn't come as a surprise, though. These non-vendor affiliated white hats are under increasing legal -- and financial -- pressures. Many of them have gone corporate, working under the protective blanket of their company's research group.

Researcher David Maynor, CTO of Errata Security, laments that this means vulnerabilities will become trade secrets and won't get publicly disclosed at all, which he considers a detriment to security. Vulnerability discovery and disclosure as we know it won't exist anymore. (See Up Close With David Maynor.)

Hacker RSnake, a.k.a. Robert Hansen, founder of SecTheory, has felt the pinch already: "When we disclosed a vuln publicly a few months back, a vendor came in and tried to take credit for it after the fact, saying they had told Microsoft about it months before privately," he says. "They were doing it for business; we were doing it because it was a bug that everyone should know about."

Full-disclosure hackers, who publish vulnerabilities without the blessing of vendors, are an endangered species. Not all of them are good guys, either: "There are only a few of us full disclosure types left, and even a lot of those types are still doing it to make a competitor look bad," RSnake says.

It's more lucrative on the dark side now. And savvy security and software companies are snapping up smart researchers who don't have much choice anymore but to get a "real" job. "There really aren't enough security people in the world. So if you are any good, a company is going to want to slurp you up and then shut you up," RSnake says. "If you go around breaking into things all the time, you'll either get hit by DMCA [Digital Millennium Copyright Act], or by other laws, if you are breaking into sites."

Maynor and RSnake are able to continue their individual research at their small firms, so even with their corporate day hats, they have freedom. Researcher HD Moore, for instance, has plenty of leeway at BreakingPoint Systems, where he's head of security research by day and still Metasploit creator by night. It's tougher for indie white hats, who are increasingly finding some hacks require them to tread more lightly than they used to.

Take Felix Domke, the Xbox 360 hacker. When deciding what to do about the Xbox 360 bug he found, Domke enlisted the advice and help of Andrew "bunnie" Huang, hardware lead at Chumby Industries, who had previous experience working with Microsoft. The first step was making sure Microsoft wouldn't consider legal action given Xbox's anti-piracy issues.

Domke was relieved to learn that Microsoft was open to working with him under its "responsible disclosure" policy, where they patch before he can release the bug. But he admitted he isn't comfortable doing research on anything he has to keep under wraps: "It was the first time that I worked on a vulnerability which was not immediately publicized. I usually work in open teams, which are working together in public, immediately disclosing any results." (See Microsoft Meets Xbox Hacker.)

But it was different this time, he says. Sign of the times?

— Kelly Jackson Higgins, Senior Editor, Dark Reading