An app store where security researchers sell exploits

When security researchers find a vulnerability in an application, they typically contact the developer and debate details of the flaw. Is it a real flaw? Can attackers exploit it? How quickly can it be fixed? Months later, after a fix, the software maker gets a more secure product — and perhaps a lesson in secure programming — but the researcher generally gets nothing but a pat on the back.

Several groups have found ways to pay researchers for finding vulnerabilities. Now, one company wants to create a marketplace for selling the code capable of exploiting vulnerabilities.

[ Take control of your security destiny with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

ExploitHub — the brainchild of NSS Labs, a security testing firm — takes its business model from Apple’s App Store. While security experts aren’t sure it will work, it marks the latest step in a trend of turning security expertise into cash.

“One of the catalysts for this idea is the conversations we have had with independent security researchers,” says Rick Moy, CEO of the Carlsbad, Calif.-based NSS Labs. “We are hearing of researchers with caches of a couple hundred or a couple thousand exploits that they are sitting on. There are two things that they are looking for: To have them (the exploits) put to good use and get paid for their time.”

ExploitHub will allow programmers and security experts to upload the code necessary to attack a specific vulnerability — what’s referred to as an “exploit” in security and hacking circles. ExploitHub will only host exploits for vulnerabilities that have already been publicly disclosed and patched, and will only allow known security professionals to buy the code, according to NSS Labs.

The marketplace is the latest attempt by security researchers to get paid for their work. In 2002, security firm iDefense started offering rewards for bugs in software vendors’ products. The company uses the information to help developers secure their products. TippingPoint, now part of Hewlett-Packard, announced a similar bounty program in 2005 called the Zero Day Initiative. With ExploitHub, security researchers will not just get paid for finding vulnerabilities, but for programming reliable ways to use those flaws to hack into systems.

Getting a paycheck for their valuable work has been a focus of three researchers who started the group No More Free Bugs more than 18 months ago. They have their work cut out for them: In 2009, researchers were only paid for 308 vulnerabilities — or about 5 percent — of the more than 5,700 bugs found that year, according to data from analyst firm Frost & Sullivan. (Note: This does not include security professionals who found vulnerabilities as part of their job.)

“This is about people wanting to get paid,” says Charlie Miller, a founder of the group and principal analyst with Independent Security Evaluators. “They are doing work that is hard to do, and I think they should get paid for it.”

The problem for ExploitHub, says Miller, is that the value of exploits remains to be seen. The market for vulnerabilities, for example, consists of low-value sales (typically, thousands of dollars for a confirmed flaw) to the known bug bounty programs or higher-values sales ($10,000 to more than $100,000) to the gray market. Gray market buyers are generally from government programs that like to protect themselves against such vulnerabilities but could also use the flaws for espionage or other activities. Typically, showing reliable exploitation of the flaw is a requirement.

Because the bug bounty programs do not pay very well and many security experts refuse to give up their research for free, Miller suspects that a lot of vulnerabilities are going unreported.

“I have thought for a long time that you will see fewer researchers who are reporting vulnerabilities,” he says. “They are more valuable now … especially because they are harder to find.”

Exploitation has become more difficult as well. Defenses such as randomized memory layouts and the ability to mark certain areas of memory as nonexecutable make reliably exploiting vulnerabilities hard.

The value in exploits for already patched flaws seems questionable, yet companies and individuals are generally far behind in patching their systems. While Windows systems are patched in about two weeks, some applications — such as Microsoft Office and Adobe Acrobat Reader — take far more time to get patched. Enterprise red teams — authorized hackers who seek out vulnerable systems before the bad guys attack them — could benefit from having a larger pool of exploits from which to choose.

However, sharp researchers can generally create their own exploits, leading Miller to question whether there will be any demand for ExploitHub.

“There are about a hundred guys who care about my exploit,” he says. “I’m all for open markets … I’m just not interested in buying exploits.”

This article, “An app store where security researchers sell exploits,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.