[funsec] Bug hunting start-up: Pay up, or feel the pain

Richard M. Smith rms at computerbytesman.com
Fri Aug 3 10:39:39 CDT 2007


Bug hunting start-up: Pay up, or feel the pain 
By Dawn Kawamoto

An upstart security research firm with a controversial business model is at
the center of a debate over how software bugs should be disclosed. 

Vulnerability Discovery and Analysis (VDA) Labs <http://www.vdalabs.com/> ,
founded in April by Jared DeMott, notifies software vendors of security bugs
found in their software, as do many other security researchers.

But as part of VDA's business model, vendors are asked to pay for the bugs
it discovers, or its consulting services, otherwise VDA threatens to sell
the bug to a third party or make the details of the security flaw public. 

DeMott, who has done work for the National Security Agency among other
places, describes his business model as "edgy," while other security
researchers see it as more akin to "extortion." The practice, in either
case, veers from the more traditional ways bug hunters have worked with
software vendors and security firms. 

Just two weeks ago, LinkedIn, the popular social-networking site, got a
taste of VDA's business practices, when the Michigan security company
claimed it had found a critical security flaw in the LinkedIn Internet
Explorer Toolbar. 

"We've discovered an attack against the LinkedIn toolbar. If you are
interested in the bug, we would like to give first right of refusal to
purchase it. We'd also like to perform a more complete security audit of
your products. We can help make the LinkedIn products more secure," DeMott
stated in e-mail sent to LinkedIn on July 10, as viewed by CNET News.com. 

The e-mail continues: "If you wouldn't like to buy it then we are happy to
resell or release as a full disclosure to help prevent security issues
arising on end users servers. We strongly believe in keeping users safe. We
are unique in that we give vendors a first chance at the bugs we discover
rather than selling to a third-party or releasing publicly. Please find the
VDA Labs Value add document attached. If you'd like to buy the bug we will
provide working attack code, so that you can verify the bug, before you send
the check." 

VDA set a deadline of July 17 and requested a payment of $5,000. 

After failing to receive a response from LinkedIn, DeMott sent two e-mails
on the eve of the deadline. One served as a reminder that the deadline was
looming, and the other stated the price had increased to $10,000.

More information about the funsec mailing list