Ethics of Zero-Day Sales

A friend asked me about this topic, and I decided to post my response publicly so others can see it and discuss it.

Background

Consider a secuity research company that finds zero-day vulnerabilities in software and on Web sites. Once they have the zero-days, what can they do with them?

Legal Risks

My understanding of the law is that the CFAA makes all discoveries of security problems on websites illegal unless that company has authorized you to discover their vulnerabilities.

Therefore, notifying a company that has not employed you places you in legal jeopardy, unless they have a bug bounty or vulnerability disclosure program. You are confessing to a crime.

I used to do this a lot. I notified hundreds of colleges and companies, and gave a talk about it at HOPE X, but I have stopped doing it because of the chilling effect of the CFAA, and also because it had very little effect. Only 20% of the people I notified fixed the problems.

Finding vulnerabilities in locally installed software, such as Windows, is legally safer, as far as I know.

Offering to Sell Zero-Days to a Company

Unless a company has a bug bounty program, or a vulnerability disclosure policy, you are unlikely to get money out of them for a zero-day. And they may interpret your notice as extortion, a threat to hack them unless they pay up.

I strongly advise not to advertise your business in this manner unless you have run it past an attorney first.

Selling Zero-Days Through Brokers

Brokers like ZDI and Kevin Mitnick can sell your zero-days for you, but I imagine there's not much money in it unless you find really important ones, such as RCE in Mac OS X or Windows. As far as I know, those services are legal and safe for the researcher to use. I have also heard that the main buyer with big money is the NSA.

I see nothing wrong with using such programs.

Full Disclosure

If you abandon all hope of getting paid for your zero-day, you can just dump it publicly. This may serve to help others, good and bad, but it may also place you in legal jeopardy if you confess to crimes performed to find the vulnerability. You can try to conceal your identity, but that is very difficult to do effectively. Almost everyone makes a mistake sooner or later and can be found.

Disclosure to Your Clients

Several people have told me that they find zero-days and disclose them only to paying clients, who are companies interested in protecting themselves from zero-days, not criminals planning to use this knowledge to attack others. Personally, I see nothing wrong in that. Researchers have no obligation to give away their results for free. And if the vendors cared, they would have bug bounty programs. It might be a politically wise move to disclose the results to the vendors too, just to create a more friendly public image, but I see no legal or moral reason to protest a company like VUPEN that doesn't do that.

Of course, if you are knowingly selling to criminals who use the vulnerabilities to commit crimes, that's unethical, and probably illegal. If you are selling to oppressive governments who use your information for human rights abuses, you enter a murky world legally and morally, where there are no easy answers. Some people include the USA and the NSA in this category, but I think that's nonsense. I wouldn't sell a zero-day to ISIS. But what about the Chinese government? Is it right to sell a zero-day to them? I see no easy way to answer that question.

Complaints from Idealists

Idealists will say everyone must disclose vulnerabilities to vendors so they can be patched. In my opinion, this is the voice of ignorance, from someone who has never tried it. The vast majority of vendors don't care. At all. They have no clue. They won't understand a word of the disclosure, and sometimes they take revenge on you for daring to tell them.

There are a lot of political zealots, trolls, and people with high passions about computer security. No matter what you do, if you are visible in this field, someone will abuse you and say you are unethical. I think the best way to handle ethical complaints is to dig deep and figure out what you really care about, and then listen to critics with an open mind as much as practical. But some of the critics are just trolls and you have to ignore them.

My Disclosure Policy

Personally, I disclose findings to vendors and wait 30 days before publicly announcing my results. I do that as a courtesy--it seems rude to publicly shame a company without having given them a chance to respond first. I also do it for public relations purposes, to avoid attracting excessive complaints to the college I work for. But in most cases it's a purely symbolic gesture, like the Terms of Service on a website that no one reads. There are a few vendors that actually respond to security notices, too, so this is not completely useless.

That way, when people ask, I can say "I told the vendor, and gave them a chance to fix it."

Posted 2-27-15 by Sam Bowne