Pure ExtortionBy Rich
Threatpost has an interesting article up on the latest disclosure slime-fest (originally from Educated Guesswork). It seems VoIPShield decided vendors should pay them for vulnerabilities – or else.
While I personally think security researchers should disclose vulnerabilities to the affected vendors, I understand some make the choice to keep things to themselves. Others make the choice to disclose everything no matter what, and while I vehemently disagree with that approach, I at least understand the reasoning behind it. At other times, per reasonable disclosure, researchers should publicly disclose vulnerability details if the vendor is placing customers at risk through unresponsiveness.
But VoIPShield? Oh my:
“I wanted to inform you that VoIPshield is making significant changes to its Vulnerabilities Disclosure Policy to VoIP products vendors. Effective immediately, we will no longer make voluntary disclosures of vulnerabilities to Avaya or any other vendor. Instead, the results of the vulnerability research performed by VoIPshield Labs, including technical descriptions, exploit code and other elements necessary to recreate and test the vulnerabilities in your lab, is available to be licensed from VoIPshield for use by Avaya on an annual subscription basis.
Later this month we plan to make this content available to the entire industry through an on-line subscription service, the working name of which is VoIPshield “V-Portal” Vulnerability Information Database. There will be four levels of access (casual observer; security professional; security products vendor; and VoIP products vendor), each with successively more detailed information about the vulnerabilities. The first level of access (summary vulnerability information, similar to what’s on our website presently) will be free. The other levels will be available for an annual subscription fee. Access to each level of content will be to qualified users only, and requests for subscription will be rigorously screened.
If you require vendor payment for vulnerability details, but will release those details to others, that’s extortion. VoIPShield is saying, “We’ve found something bad, but you only get to see it if you pay us – of course so does anyone else who pays.”
Guess what guys – you aren’t outsourced QA. You made the decision to research vulnerabilities in particular vendors’ products, and you made the decision to place those companies’ customers at risk by releasing information to parties other than the appropriate vendor. This is nothing more than blackmail. Is vulnerability research valuable? Heck yes, but you can’t force someone to pay you for it and still be considered ethical.
If you demand vendor payment for vuln details, but never release them, that might be a little low but isn’t completely unethical. But demanding payment and releasing details to anyone other than the vendor? Any idiot knows what that’s called.
* Image courtesy dotolearn.com.
I’m initially in agreement with you on this. It just feels wrong. Then again, much of this likely stems from being pro-full disclosure and not really believing that the vuln business is a viable market beyond a trickle of high-profile vulns that eventually get outed. It is one thing to basically play it off as outsourced (and cheap!) QA with a vendor, but then selling them to others just seems two-faced.
Who exactly would be the target audience and what would be their intentions? I’m not sure I can think of any specifics beyond high-level pen-testers or exploit shops like CORE…but they’ll find it themselves once details and a patch are released from a vendor…
I dunno, I guess I’m on the fence on this, but my gut leans towards thinking this is a terrible idea.
I posted some tangential thoughts over here: http://www.terminal23.net/2009/07/when_does_vuln_research_turn_b.html