BlackHat Poll Warns Against Auctioning Off Security Information

A Symantec survey suggests security researchers should be paid for their information; not auctioned off to the highest bidder.
Are you a security researcher considering auctioning off information just to make a buck? A new opinion poll out suggests that may be a dangerous move.

Most of the attendees at last week's BlackHat security conference think auction sites that sell off online vulnerability information are dangerous. The survey also showed that they think researchers should be paid for their work.

Symantec conducted the poll at BlackHat USA -- which was held in Las Vegas last week -- and found that 80% of those surveyed at the gathering said public vulnerability auctions put the vendor and the public at risk.

"If the researchers finding the vulnerabilities go to the highest bidder, most likely that will be somebody involved with crime instead of a vendor," said Javier Santoyo, manager of Symantec Security Response. "Researchers believe they should be getting paid for finding vulnerabilities but they also understand if they go to the highest bidder, there's no way to know who will buy it and what they will do with it."

The issue of auctioning off vulnerability information created an online buzz early last month when WSLabi, a Swiss security research lab, created what it calls an online marketplace for security research. The company built a portal where researchers, security vendors and software companies can bid to buy information on security research.

According to WSLabi's online release, they're looking to help researchers get the "correct value for their findings." The company claims it can help researchers get 20 times more than they receive for bug information now.

However, Santoyo told InformationWeek that criminals may just be as likely as security companies and other legitimate researchers to try to buy bug information in a live auction. "The bad guys are doing more things out in the open," he said. "They're becoming bolder. Opening trading on the Internet, buying information on exploits and [vulnerabilities] -- the criminal aspect is more openly [working] on the Internet."

However, that doesn't mean that security professionals don't think researchers should be paid for their hard work finding vulnerabilities. According to the Symantec poll, 59% said security researchers should be paid for their information, regardless of who may ultimately purchase the vulnerability.

There's been growing debate whether companies like Microsoft or Apple should pay researchers who contact them with accurate information about flaws in their software. Santoyo said while security researchers may push for it, he doesn't see it happening soon.

"Even though researchers feel they should be paid for the work they do, hopefully they're working with vendors, instead of criminal organizations out there," said Santoyo. "I think on the vendor side most would be against paying for vulnerabilities. I would say on the vendor side we'll see them hiring more of the researchers and trying to get it done in house."

Symantec's survey also showed that:

  • Sixty percent of IT managers are most concerned about the Windows XP platform having vulnerabilities and least concerned with Unix;
  • Mobile technologies, followed by virtualization and Web services, were cited as the hottest security issues within the web application security area;
  • Thirty-six percent of those surveyed are most interested in researching messaging/scripting technologies, followed by operating systems, and infrastructure networking technology.
  • The Black Hat convention was attended mostly by IT managers and independent researchers. IT Managers comprised the largest group (42%) attending the conference, compared to 26% in 2006.
Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer