At last month’s conference, TippingPoint paid US$10,000 for a vulnerability discovered by researcher Dino Dai Zovi after he and a partner won a "hack-a-Mac" contest.
But Gartner analysts Rich Mogull and Greg Young concluded in a research note titled, " QuickTime vulnerability exposed by contest poses wide risk," that vendors and security services firms should "consider ending public vulnerability marketing events, which may lead to unanticipated consequences that endanger IT users."
Hacking challenges are well intended, the researchers said, but they can lead to opportunities for criminals.
"Public vulnerability research and ‘hacking contests’ are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements," the researchers said.
"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities – which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers," they added.
The QuickTime vulnerability was not publicly exploited before being patched late Tuesday by Apple, according to researchers.
User interaction is needed to exploit the flaw, which is vulnerable on Windows and Mac OS X operating systems.
Terri Forslof, manager of security response at TippingPoint, told SCMagazine.com that her company didn’t set up or sponsor the challenge, but was approached by CanSecWest organisers about the cash prize.
The vulnerability's purchase ensured that its details stayed between the researchers, the TippingPoint's ZeroDay Initiative and the vendor – in this case Apple, which patched the flaw in less than two weeks, according to Forslof. But bloggers and other media outlets who attended the conference knew about the discovery, which prompted immediate and widespread discussion and speculation across the web.
Kris Lamb, director of X-Force labs, the research wing of IBM Internet Security Systems, told SCMagazine.com that firms cannot guarantee exclusive ownership of a flaw bought from a researcher.
"The information is being talked about in public, as well as details of the vulnerability, and it doesn’t take very long for a skilled researcher to piece the details together and know what new vulnerability is out there that Apple hasn’t remediated yet," he said.
"Bug bounties don’t offer more protection to the customers, and I would argue that they put the customer more at risk while they realise it or not."
Dragos Ruiu, principal organizer of CanSecWest, told SCMagazine.com today that the contest made Mac users safer because the QuickTime flaw is now patched, whereas it could still be unknown if it hadn’t been exposed.
"I completely disagree and that’s my opinion. I think those flaws would’ve stayed hidden and would still be a vulnerability. The quicker we get those disclosed and closed, the safer the software is," he said. "The people who come to the conferences are all IT security professionals, so there might not be a better place."
CanSecWest hacking contest slammed
By Frank Washkuch on May 3, 2007 9:53AM