Ethics of Zero-Day Sales
A friend asked me about this topic,
and I decided to post my response
publicly so others can see it
and discuss it.
Background
Consider a
secuity research
company that finds zero-day
vulnerabilities in software and on
Web sites.
Once they have the zero-days, what
can they do with them?
Legal Risks
My understanding of the
law is that the CFAA makes
all discoveries of security
problems on websites illegal
unless that company has
authorized you to discover their
vulnerabilities.
Therefore, notifying a company
that has not employed you
places you in legal jeopardy,
unless they have a bug bounty
or vulnerability disclosure program.
You
are confessing to a crime.
I used to do this a lot. I notified
hundreds of colleges and companies, and
gave a
talk about it at HOPE X, but I
have stopped doing it because of
the chilling effect of the CFAA,
and also because it had very little
effect. Only 20% of the people
I notified fixed the problems.
Finding vulnerabilities in locally
installed software, such as Windows,
is legally safer, as far as I
know.
Offering to Sell Zero-Days to a Company
Unless a company has a bug bounty
program, or a vulnerability
disclosure policy, you are
unlikely to get money out of them
for a zero-day. And they may interpret
your notice as extortion, a threat
to hack them unless they pay up.
I strongly advise not to advertise
your business in this manner unless
you have run it past an attorney
first.
Selling Zero-Days Through Brokers
Brokers like ZDI and Kevin Mitnick
can sell your zero-days for you, but
I imagine there's not much money in
it unless you find really
important ones, such as RCE in
Mac OS X or Windows.
As far as I know, those services
are legal and safe for the researcher
to use. I have also heard that the
main buyer with big money is the NSA.
I see nothing wrong with using such
programs.
Full Disclosure
If you abandon all hope of getting
paid for your zero-day, you can just
dump it publicly. This may serve
to help others, good and bad, but
it may also place you in legal
jeopardy if you confess to
crimes performed to find the
vulnerability.
You can try to conceal your identity,
but that is very difficult to do
effectively. Almost everyone
makes a mistake sooner or later
and can be found.
Disclosure to Your Clients
Several people have told me that they
find zero-days and disclose them
only to paying clients, who are
companies interested in protecting
themselves from zero-days, not
criminals planning to use this
knowledge to attack others.
Personally, I see nothing wrong in
that. Researchers have no
obligation to give away their
results for free. And if the
vendors cared, they would have
bug bounty programs.
It might be a politically
wise move to disclose the results
to the vendors too, just to
create a more friendly public
image, but I see no legal or
moral reason to protest a
company like VUPEN that doesn't
do that.
Of course, if you are knowingly
selling to criminals who use the
vulnerabilities to commit crimes,
that's unethical, and probably
illegal.
If you are selling
to oppressive governments who
use your information for human
rights abuses, you enter a murky
world legally and morally, where
there are no easy answers. Some
people include the USA and the NSA
in this category, but I think that's
nonsense.
I wouldn't sell a zero-day to ISIS.
But what about the
Chinese government? Is it right
to sell a zero-day to them? I see
no easy way to answer that question.
Complaints from Idealists
Idealists will say everyone must
disclose vulnerabilities
to vendors
so they
can be patched.
In my opinion, this is the
voice of ignorance, from
someone who has never tried it.
The vast majority of vendors
don't care. At all. They have
no clue. They won't understand
a word of the disclosure, and
sometimes they take revenge on
you for daring to tell them.
There are a lot of political
zealots, trolls, and people
with high passions about computer
security. No matter what you do,
if you are visible in this field,
someone will abuse you and say
you are unethical.
I think the best way to handle
ethical complaints is to dig
deep and figure out what you
really care about, and then
listen to critics with an open
mind as much as practical.
But some of the critics are
just trolls and you have to
ignore them.
My Disclosure Policy
Personally, I disclose findings
to vendors and wait 30 days
before publicly announcing
my results. I do that
as a courtesy--it seems rude
to publicly shame a company
without having given them a chance
to respond first. I also do it
for public relations purposes,
to avoid attracting excessive
complaints to the college I
work for. But in most cases
it's a purely
symbolic gesture, like the
Terms of Service on a website
that no one reads. There are
a few vendors that actually respond
to security notices, too, so this
is not completely useless.
That way, when people ask, I
can say "I told the vendor,
and gave them a chance to fix it."
Posted 2-27-15 by Sam Bowne