"Own-the-Internet" for Fame and Profit
First Published: X-Force Monthly Magazine

Keeping an eye on the latest security advisories is core to staying ahead in the world of security consulting, but advisories offer more than that. Security advisories largely drive the security vulnerability industry, reminding clients of threats and reinforcing the need to maintain constant vigilance.  

While it is increasingly the case that too many security researchers release advisories without first discussing the vulnerability with the vendor, I instead have focused on working closely with the software vendors to patch the vulnerability before it's publicly announced thereby protecting the vendor and their customers (who are often my clients as well).  However, for many upcoming security researchers and bug hunters who focus intensely (almost single-mindedly) upon discovering the next “own-the-Internet” vulnerability, they are driven by the fame they perceive that goes with public disclosure.   

There was a time when almost all vulnerability disclosures included an educational walk-through as to how it was found and how it could be exploited. In these “good old days,” I guess you could say the bug hunter was like a peacock, displaying his skills for all to see, and hunting for the next challenge. For those that couldn’t find the “own-the-Internet” vulnerabilities, it was good enough to develop proof-of-concept (PoC) code and show how lesser vulnerabilities could be combined to compromise a host. This was fine until a few worm writers decided to make use of the advisories’ content and take down sizable chunks of the Internet. One such example, Slammer, forever changed people’s perception of this disclosure practice.  

Very few professional researchers and bug hunters now provide as much information in their advisories. In fact, those who work for security research organizations tend to give away very few hints as to where the vulnerability actually lies and how it can be exploited – which has in turn has resulted in a new generation of security researchers (or engineer) which focus on developing PoC or add-ons for popular penetration testing tools.  

There’s still a problem, though. A freelance researcher who may have invested days or weeks finding the bug (or the organization that purchased the vulnerability from the researcher) often still wants the recognition of finding that “own-the-Internet” vulnerability. However, the researcher knows that releasing a detailed walk-through or PoC will likely turn him into a leper within the security community for leaving computer users open to compromise.  For some, the opportunity to “strut their stuff” is too great and irresponsibly disclose the vulnerability for their 15 minutes of fame – then spend the next six months hoping they don’t get arrested.  

It would seem that the notoriety associated with finding an “own-the-Internet” vulnerability has decreased in recent years (there are just so many of them), and that press coverage (i.e. newsworthiness) of such a disclosure typically only lasts one or two days. The press coverage may last longer if the vulnerability is disclosed as a 0-day and there are no vendor fixes available – but that’s likely to send the freelance researcher directly to the leper colony for putting computer users at great risk. However, if the vulnerability gets absorbed into an effective network worm and really does start to “own-the-internet,” then the press coverage could last weeks, if not a lifetime.  

So, what’s a freelance researcher to do?  Well, it would appear that many are experimenting with exactly how much relevant information you can put in an advisory before the security community calls foul, while still hoping that their discovery will be made into a killer worm resulting in lots of media attention. Unfortunately it appears that this strategy has also been adopted by some well known security companies that purchase vulnerabilities from freelance researchers – perhaps they’re looking to recoup some of the costs of their purchase? In my mind, this is a dangerous strategy that cannot be condoned.  

However, even when researchers and security companies do refrain from posting any details that could be used to build PoC, exploit code may still be created by someone – after all, there’s a lot of incentive to do so.   

The problem becomes more pronounced with responsibly disclosed “own-the-Internet” vulnerabilities that affect multiple vendors – each of which post their own advisories about the bug and how it affects their products. By reading multiple advisories about the same vulnerability from different sources, enough information is often unintentionally leaked by the software vendors themselves, and it is trivial to piece it all together and build PoC.  

So, regardless of whether it was disclosed responsibly, was released with too many details, or is a true 0-day, you need keep a close eye on all those advisories because someone else definitely is!
    Copyright 2001-2007 © Gunter Ollmann