Why Is Paid Responsible Disclosure So Damn Difficult?

So I’ve been sitting on an Apple vulnerability for over a month now, and I’m really starting to realise that maybe just sending the details to the Full-Disclosure mailing list and Exploit-DB.com is the right way to go about disclosing vulnerabilities and exploits.

I initially contacted ZDI to see if they would be at all interested in buying the exploit off of me, as I spent a lot of time researching and finding this one, and I’d like to get something for my efforts. I am a firm believer in the No More Free Bugs movement, I understand and appreciate what ZDI are doing, but the fact that it took them just under a month to get back to me, is really not good enough to be very honest. If they don’t have the researchers, then advertise worldwide, instead of just US only. I know I for one, would be happy validating bugs all day, and this is the the type of work that can be remotely.
Yesterday I also submitted the same information to iDefense Labs Vulnerability Contributor Program (VCP), who claim to get back to me within 48 hours, so we’ll see how that goes. I will update this post as and I when I know more.

I also took the off chance of mailing Apple directly, and asking if they offer any rewards for vulnerabilities that have been found, and if so what they would be. I don’t have high hopes on Apple offering anything, but to be honest, I would prefer to  disclose this one directly to Apple. They however  have paid staff to do this work on a full time basis on all their products, so why aren’t they doing it properly, and I feel that anyone else finding bugs for them, should be compensated appropriately. However, I e-mailed them yesterday and recieved an automated response, so we see how long it takes them to respond to me as well.

This may end up being a rather long post, but let’s see. I’m also expecting to see quite a few interesting comments on this post as well, so come on people.

UPDATE 30/06/2010:

Received a response from iDefense last night,and a request for more info. So just over 24 hour response time, which is brilliant, I’m really impressed so far.

Recieved a response from Apple, and if I would like any reward (aside from credit for the find), then I was informed that I should go through ZDI or iDefense.

  • foobar

    It can take a very long time to sell a vuln. And it can take a long time to verify vulns as well. Consider that a company, like ZDI, needs to protect themselves from bad reports otherwise they lose thousands. ZDI has also been flooded lately, if you watch the number of cases open it is increasing several times faster than ever before! At least they did the smart thing and added head count.. (Sure it was a bunch of fresh grads, but they will learn)

    Once you give iDefense a try, and if they do not want it then try these next two:

    If no one has bought it after that, then you may be out of luck. If something like wabisabilabi existed, you would have another option..

  • Andy

    Interesting post and I imagine it’s a frustrating dilemma. It highlights that more needs to be done on disclosing vulnerabilities (responsibly).

    On a side note, once the vulnerability is disclosed, would you be willing to explain more about how you found it, the process you went through, tools used etc? I’d like to learn more about finding/developing vulnerabilities especially for Apple (mainly OSX).

    Also, what did ZDI say when they got back to you? Was it a positive response?

  • http://www.xyberpix.com xyberpix

    @foobar, thank you for the other two mentions, really appreciate it.

    @Andy, in regards to describing the process I went through, tools I used, etc. I could write a post, but didnot did a really good one over at the Offensive Security blog, so mine would really just be a re-hash of his. Check it out here http://www.offensive-security.com/vulndev/evocam-remote-buffer-overflow-on-osx/