This is a guest post from Andy Zmolek, Senior Manager, Security Planning and Strategy at Avaya, and past participant in VOIPSEC mailing list discussions and other VOIPSA activities. Andy asked if I could publicize this because he believes it is a discussion which we in the security community need to have.
Text by Andy Zmolek of Avaya:
Is it appropriate for a security research firm to require payment from a product vendor prior to detailed vulnerability disclosure? I received the following notification this morning from the CEO of a VoIP security startup:
“I wanted to inform you that VoIPshield is making significant changes to its Vulnerabilities Disclosure Policy to VoIP products vendors. Effective immediately, we will no longer make voluntary disclosures of vulnerabilities to Avaya or any other vendor. Instead, the results of the vulnerability research performed by VoIPshield Labs, including technical descriptions, exploit code and other elements necessary to recreate and test the vulnerabilities in your lab, is available to be licensed from VoIPshield for use by Avaya on an annual subscription basis.
“It is VoIPshield’s intention to continue to disclose all vulnerabilities to the public at a summary level, in a manner similar to what we’ve done in the past. We will also make more detailed vulnerability information available to enterprise security professionals, and even more detailed information available to security products companies, both for an annual subscription fee.”
I would like to solicit opinions about what appears to me to be a new challenge to infosec industry best practices. For those of you who work for software or equipment vendors, have you ever received similar notices from legitimate security researchers? Does anyone here believe the practice of equipment vendors making payments to security researchers in order to receive details about potential exploits is an acceptable business practice?
For infosec professionals, would you be comfortable purchasing services from a security research firm that follows such a policy?
NOTE from Dan York: In an effort to get VoIPshield’s perspective, I attempted to reach CEO Rick Dalmazzi but could only get his voicemail. (Perhaps because it is Canada Day and they are in Ottawa.) Andy Zmolek informed me on a call today that he had emailed Rick this morning asking when VoIPShield would be updating their Vendor Disclosure Policy (dated Nov 2007) that is on their Vulnerability Advisories page, as this email from Rick represents a significant departure from that stated policy. I also called the number of the PR contact listed on VoIPShield’s website but that extension went to a “general delivery” mailbox. This post will be updated with information from VoIPShield Systems when such information can be obtained.
This post will be updated with information from VoIPShield Systems when such information can be obtained.
voip, security, voipsecurity, voipshield, avaya
On July 1st I sent a confidential email to Cisco, Avaya, Nortel and Microsoft advising them that we, VoIPshield, would be making changes to the way we make VoIP security vulnerability content available to the industry. I advised them that formal announcements would be made later this month, and invited them to view the beta version of our new offering as a courtesy.
In a response that was not entirely surprising, but disappointing none the less, Mr. Zmolek chose to post a portion of my confidential email on this forum.
I’m not a big fan of participating in forums, especially when they involve confidential pre-announcement matters intended to be discussed privately between business partners prior to public disclosure. But since our announcement has been somewhat pre-empted, let me briefly describe what we plan to do.
VoIPshield has what I believe to be the most comprehensive database of VoIP application vulnerabilities in existence. It is the result of almost 5 years of dedicated research in this area. To date that vulnerability content has only been available to the industry through our products, VoIPaudit Vulnerability Assessment System and VoIPguard Intrusion Prevention System.
Later this month we plan to make this content available to the entire industry through an on-line subscription service, the working name of which is VoIPshield “V-Portal” Vulnerability Information Database. There will be four levels of access (casual observer; security professional; security products vendor; and VoIP products vendor), each with successively more detailed information about the vulnerabilities. The first level of access (summary vulnerability information, similar to what’s on our website presently) will be free. The other levels will be available for an annual subscription fee. Access to each level of content will be to qualified users only, and requests for subscription will be rigorously screened.
So no, Mr. Zmolek, Avaya doesn’t “have to” pay us for anything. We do not “require” payment from you. It’s Avaya’s choice if you want to acquire the results of years of work by VoIPshield. It’s a business decision that your company will have to make. VoIPshield has made a business decision to not give away that work for free.
It turns out that the security industry “best practice” of researchers giving away their work to vendors seems to work “best” for the vendors and not so well for the research companies, especially the small ones who are trying to pioneer into new areas.
Final note to Mr. Zmolek. From my discussions with enterprise VoIP users, including your customers, what they want is bug-free products from their vendors. So now VoIP vendors have a choice: they can invest in their own QA group, or they can outsource that function to us. Because in the end, a security vulnerability is just an application bug that should have been caught prior to product release. If my small company can do it, surely a large, important company like Avaya can do it.
Note to members of this fourm: If you would like to help us beta test our V-Portal offering, send an email to firstname.lastname@example.org. I’d love to get your feedback.
President & CEO
VoIPshield Systems Inc.
Thank you for replying and doing so at such length. I have a couple of comments:
1. After posting this article on Andy’s behalf, I subsequently saw the full email you sent to Avaya. When I read it, I did not get any sense that anything was confidential. It honestly seemed to me to be a “form letter” type of email with Avaya’s name filled in. I could very easily see why Andy would reach out to other vendors to see if they, too, had received this email. Upon re-reading the message after seeing your reply, I did notice that the final lines of your email footer contain legal text in a smaller, italicized font that could be read to restrict further distribution. I am very definitely NOT a lawyer and will leave it to others to assert the validity of such footer statements. My only suggestion would be that in the future you may want to highlight more clearly that your communication is intended to be confidential. As I said, this was not at all clear to me upon initially reading the message.
2. Your reply above seems a bit at odds with the text Andy provided. Your reply indicates that you notified 4 vendors that you “would be making changes” with formal announcements coming later this month. However, the email provided states that “Effective immediately” you will stop providing voluntary disclosure of information. If you are indeed making this change “effective immediately”, that is very much definitely at odds with our published Vendor Disclosure Policy. (UPDATE:I just noticed after publishing this comment that the Vendor Disclosure Policy has been removed from the VoIPShield website, which, in my opinion is good in that at least one thing is not being said publicly while another is said privately.)
3. I understand and can appreciate your desire to be compensated for the security research your firm does. As Dustin has said in his comment, this is an area where business models are continuing to evolve. I admittedly share some of Dustin’s skepticism about the vendors’ participation, particularly given the four specific vendors you are seeking to involve, but I do wish you all the best in trying out the business model.
Thank you again for commenting publicly,
I applaud this move… NMFB.
Sometimes “thank you” in an obscure advisory isn’t enough. Companies aren’t spending time on QA because they don’t have to – we’re doing it.
Also, if the word ‘confidential’ appeared anywhere in the email that those snippets are from Andy@Avaya has made a very poor judgment call. tsk tsk.
I believe it’s perfectly acceptable for researchers to request compensation for work they have done, whether it be directly from the vendor, or through a third party. There is (and has been for a few years now) a fairly well established industry around this practice. If an equipment vendor doesn’t feel the information is valuable enough to pay for themselves, the researcher is more than welcome to sell their information to a vulnerability broker such as TippingPoint’s ZDI program, iDefense’s VCP, SNOSoft, or any of a handful of others, who usually glean some value from it and then turn around and responsibly disclose the information to the vendor for free anyway.
Ultimately, the researcher who found the vulnerability and spent effort developing it owns it as intellectual property, and can do with it whatever they wish. Some will choose to give the vendor the information for free (or for a credit in the advisory), some will sell to a broker, some will attempt to sell directly to the vendor, some will disclose it publicly without warning, and some will sell to the black market to be used for nefarious purposes. All of these scenarios happen quite regularly, and all but the last scenario I believe are acceptable practice. Unfortunately the last scenario usually commands a much higher price and provides more compensation for the researcher. Researchers have no “duty” or “responsibility” to disclose anything to a vendor for free, period.
I don’t particularly like the licensing-focused business model that VoIPShield has chosen, but it’s entirely within their rights to market and sell their IP any way they wish. The market will decide if there is any value in it, but my hunch is that at least for product vendors, no, there isn’t. The primary reason the 3rd party vulnerability broker market even exists is because it has been (historically) notoriously hard to get a vendor of an affected product to pay for such information. There’s more value in the information for the vulnerability brokers for a variety of reasons, which is why they pay a higher price for it (or at all).
There are also other companies who have similar vulnerability sharing clubs, notably Immunity, and while I’m not sure how many product vendors they have as subscribers, I’ll bet the majority of their customer base are professional services types who engage in assessments and penetration tests, where that information has much greater value, especially the longer it remains OUT of the vendors’ hands. VoIPShield may have some success in that market with their service, but I wouldn’t expect many product vendors to be subscribing.
Pingback: SecuriTeam Blogs » Want vulnerability information? Pony up the cash
if a vendor doesn’t have the resources to conduct research or simply can’t stay ahead of current and surfacing threats pertaining to their own products, they shouldn’t have any other choice, but to pay for the research.
It is the vendors responsibility to be proactive and mitigate the security flaws in the solutions that they sell, until that product is discontinued or unsupported.
It is also important to understand a vendors philosophy and approach in how they handle security and product integrity, prior to doing business with them.
I can’t accept the idea of that it is the customers “Responsibility” to have to go out and purchase bug fixes through a security assessor or subscription service to protect themselves from threats that should have been resolved by their vendor(s), especially if that customer is paying for licensing and support.
I think that it is acceptable for the security research firm to have a business model seeking income for their efforts. Especially if they have a relationship with the vendors and a stated policy around their disclosure model then it does not come across as ‘extortion’ as some in other security circles have maintained.
If an independent developer invests their time and effort to create a new feature that extends the functionality of the vendor’s product, does the vendor get to co-opt that effort for free? No. They would have to somehow license the feature or compensate the developer.
Vulnerability research should not be any different. The vendor could have (and possibly should have) done the research in house and found the vulnerabilities on their own. If independent security researchers invest time and effort to do it for them their efforts need to be compensated. If not, the security researchers will fade away, the vendors still won’t invest the effort and the only ones who will know about the vulnerabilities are the bad guys who will exploit them.
Eric Rescorla (EKR) weighed in on this issue on his own blog:
A researcher does not have to disclose any information against their will. If a company decides to pay the researcher for details then so be it. There are sometimes interesting twists.. For example.. When a company accuses a researcher of attempted “BlackMail” without cause then they should no longer have the expectation of reasonable disclosure from the researcher.
From a personal experience Digium is a company that fits this description. A current employee of theirs accused me of blackmail when informing them that their IAX2 protocol is riddled with DoS vulnerabilities. Notwithstanding the wave of libel and slander. The vulnerabilities were never fixed and are present in the stable version of the protocol. Exploit code was later published on the internet.
There are two ideological groups in this situation.
A) The vendor, who put blood sweat and tears into making their software what it is. They will do whatever they can to limit the potential exposure of bad PR. They have an emotional attachment to their solution and don’t appreciate a random person describing how their software is inferior.
B) The researcher, who put in the time and effort to vet a protocol for stability and general security issues. Once flaws are discovered the vendor is then notified. The rough details are described to the vendor and a relationship is forged.
If it takes the researcher 10 hours of their time to help the vendor fix a vulnerability then would there be a reasonable expectation for compensation? Why would a vendor expect “FREE” security consultation? A Researcher could easily just hock a vuln to an 0day shop whom sells it to governments and other offensive organizations.
“When” I find additional bugs in Asterisk Digiaum will be left in the dark. I’d rather hock it for a couple of bucks. They had their chance the first time. Their loss.
They will get No Free Bugs…
It’s fascinating how so many look at this question solely from the vendor angle, as if that somehow can absolve researchers of any ethical responsibilities.
I’ll point out that it is within a researcher’s rights to invite the vendor to bid for vulnerability information against anonymous interests in eastern Ukraine, with the info going to the highest bidder. And we could also say that in such a case it is quite possibly in the vendor’s best interests to outbid the Ukrainians, even (I’d say *especially*) if the bid is high.
In that case, the researcher is within his rights, and we can see a best course for the vendor, so it must be that this situation is perfectly fine. Right?
Or is something missing here? Like, oh, say, ethics?
In VoIPshield’s case, they are leaking vulnerability information through their products, which almost certainly will end up in the hands of malware authors, and taking no personal responsibility for whether or not the vulnerabilities get fixed. When user’s get compromised, they cannot lay responsibility solely at the feet of the vendor, because they played an important part in enabling those compromises. Blaming the vendor is a *lot* like the extortion case (e.g. “It’s not my fault the building burnt down, I just doused it with gasoline, and it was the smokers outside who caused the fire — but the company could have prevented the dousing if they’d paid my $10,000 in advance, but they refused, so it’s their fault”).
I wrote something distantly related to this topic here:
I kind of promised to start writing more actively here in VOIPSA also, so stay tuned for something that might be more related to VoIP. 😉