Well, it seems ZDI sort of missed the boat with their earlier statements about 60k not being enough.
Quote: Due to our disagreement about the best way to get the most vulnerabilities fixed, Google has withdrawn sponsorship of Pwn2Own. We understand their reasons for doing so: they want to be able to receive the sandbox escape details to improve the security of their product. That is why they launched Pwnium. What we believe they fail to realize is that, for the $60,000 they are offering, it is incredibly unlikely that anyone will participate. For example, a quote from a prior Pwn2Own winner: https://twitter.com/#!/VUPEN: "Google canceled its sponsorship of #pwn2own and launched its own #pwnium. To win, report your sophisticated exploit. We're not interested!".
Whatever the price, Google won't root out all the vulnerabilities. A (relatively) smaller price gets people to compete for fame, which can be a more powerful motivation; a large price gets people to compete for the money, but Google may not be the highest bidder.
That said, ZDI may have a point that the requirement for the full exploit is unnecessary; seeing the exploit in action might be enough for educated guesswork, thus seeing more exploits might be a good thing (in terms of security, not reputation).
The obvious compromise would be to set two rewards: one for showing the exploit, another for showing its source code, at the hacker's option. By not disclosing the exploit the hacker would give up a higher guaranteed reward in exchange for a chance to make a juicier deal, but they'd be racing against Google's reverse-engineering effort.
> The obvious compromise would be to set two rewards: one for showing the exploit, another for showing its source code, at the hacker's option. By not disclosing the exploit the hacker would give up a higher guaranteed reward in exchange for a chance to make a juicier deal, but they'd be racing against Google's reverse-engineering effort.
I'm not sure if I'm completely understanding your idea... but in your proposed scenario wouldn't Google be sponsoring a place were the actual attackers that want to screw their users can window shop for working exploits? All researchers would be getting money from Google for participating on their contest, to then sell their working exploit that would take Google a significant amount of time to fix to the highest bidding blackhat/government.
OK, it's a screwy compromise, and it wasn't exactly intended by a single party. But it's happening anyway, in the sense that Google is awarding money for full exploits, and ZDI is awarding money for something that is both tasteless advertising, and still allows Google to fix more bugs than if they appeared only on the black market.
I disagree, the sandbox is by far the best defense ever made in a browser. 60k per exploit is quite a good sum. Even for a couple month's worth of work.
It's a very good sum for a couple of months work coding indeed. That'd be about 1.5-3x the amount for regular coding work, roughly, yes?
However, if you factor in the freelance/one-time-only factor, it becomes somewhat more fair, but still really good money.
But then you also factor in the fact that he's using a very unique skill set in order to do this job, one that maybe a few handfuls of people on this planet possess. And then I wonder.
It's a well-known psychological effect. If you reward people for an activity that they already enjoy, then they will enjoy the activity less; their motivation has been diverted towards the reward.
No, actually ZDI was right, because VUPEN broke out of Chrome's sandbox in the Pwn2Own contest (not Google's contest) and refused to explain the vulnerability, because it's far more valuable to sell to their customers:
"A Google engineer offered Bekrar $60,000 on top of the $60,000 he stands to earn in the Pwn2Own contest if he handed over the sandbox exploit and details. But Bekrar declined and joked that he might consider the offer if Google bumped it up to $1 million. After the Google engineer left the conversation, Bekrar told Wired that money wasn’t the main enticement for him and he had no plans to hand over the exploit to Google.
"The Google security team member expressed frustration at Bekrar’s reluctance to provide information about the vulnerability so that it could be fixed."
If I was a white/grey-hat hacker prodding for exploits for lulz and fame, an extra $60k would come in pretty handy for something I would be doing for free anyway.
Also, not to forget is that $60k is a LOT of money to most people that are not .com millionaires.
Maybe I'm mistaken, but my takeaway is that any hacker with the skills necessary to find such an exploit would not bother. It's a lot of money for most of us, but my impression is that these competitions don't target most of us.
I'm not big into the security game/community, but I really don't understand the logic of "don't divulge how you break out of the sandbox = more exploits get fixed". And I did read the source link and try to understand...
Google just wants the work done for them. If you can make an exploit, you can explain how it works and how to patch it. On the other hand if Google just sees an exploit in action, they have to spend time reverse-engineering it to find out how it breaks the sandbox and come up with a fix, that takes far more time than just to require the working exploit.
$60k looks like a lot less when you don't know going in that you'll even find anything. It's potentially months of speculative work, and you stand a very good chance of coming up empty handed. For not much less, anyone with this skill set can have a guaranteed salary.
There is also the fact that anyone in the industry can make a few phone calls and have a bidding war on this type of exploit that will go well into the 6 figures, possibly as high as 7 according to some. $1M sounds high to me personally, but there is no doubt that it will fetch a few hundred thousand.
Where on earth did you get the idea that there is something illegal about selling exploits? Several companies exist that do exactly this, and they operate in public, above board.
To my knowledge, the US government is the biggest buyer of unpublished exploits. And they pay a lot more than 60k. One well-known US-based company is even run by a former NSA employee, and they're currently advertising a remote pre-authentication exploit in the latest version of MySQL.
Penetration testing is the common answer, though that job description can also be a bit of a euphemism.
It is also worth noting that breaking into the computer of a foreign national that is located overseas is often not a crime in the united states, or is at least considered very difficult to prosecute if it doesn't involve fraud, financial transfers or a few other hot buttons.
Are you familiar with anyone who has ever gone to prison for selling an exploit to a third party? What were they charged with? You may not be interested in the kind of attention you'd get from intelligence or law enforcement, but as far as I know the act itself is legal in most/all jurisdictions.
It's also fairly 'common knowledge' that taking $60k and some hacker fame from Google in a legitimate setting is a VERY legitimate way of setting yourself up for a $100k/month job at Google or any reputable infosec company.
Selling exploits on the black/grey market is and will always be fast money, and a bad idea.
When it comes to vulnerabilities affecting modern day
browsers, there are two main categories: code execution
and post-exploitation bypasses (sandbox escapes).
[...]
Without one of these, the second type of vulnerability is
neutered.
The idea is to encourage researchers to divulge only their more common (and thereby relatively less valuable) code execution exploits, as fixing these exploits alone will (according to ZDI's theory) defuse any threat the sandbox escape exploits pose.
ZDI, though, is insanely biased in this regard. They make their money by selling protection to companies -- fewer bugs, less money for them. Google has a vested interest in making their software more secure, ZDI has a vested interest in keeping their customers coming back for more patches.
From a high level, divulging the details could lead to the hole being patched up. Not having the details requires a much more thorough study being done to find out what happened.
i.e. if someone reports a working exploit for Chrome, but doesn't tell how, Google has no choice but to investigate as deeply as it can and root out any possibility it can think of, and perhaps do automated checks in all of the source where it could possibly happen.
If you instead point out it's a buffer overrun in file x.c, they'll likely just patch up that one file.
"According to Justin Schuh, a member of the Chrome security team, Glazunov's exploit was specific to Chrome and bypassed the browser sandbox entirely. "It didn't break out of the sandbox [but] it avoided the sandbox," Schuh said in an interview."
Though Pwnium may (quietly) reveal exploits in Chrome, Google will conveniently not be featured in sensationalist headlines about Chrome being hacked more quickly or often than other browsers at Pwn2Own.
Are you familiar with the Chrome's history at Pwn2Own?
Its success at avoiding attacks has been a great marketing tool for Google.
Even with this Pwnium exploit don't make the mistake of thinking Chrome is an insecure browser. By any measure it is the safest (graphical, full featured) browser around by a long way.
So for people as confused about this as I was, there are two similar but distinct contests at CanSecWest right now. Google Chrome is a target in both of them, and it has fallen in both of them.
This tweet refers to Pwn2Own, which is the one sponsored by ZDI, and which VUPEN apparently won (without having to share their exploit). The other, pwnium, is the Google-sponsored contest.
At the risk of being downvoted, I'll point out that sand-boxes are virtual. Virtual is pretend. Pretend things are easy to break and easy to fool. You just make them believe that everything is still OK.
Quote: Due to our disagreement about the best way to get the most vulnerabilities fixed, Google has withdrawn sponsorship of Pwn2Own. We understand their reasons for doing so: they want to be able to receive the sandbox escape details to improve the security of their product. That is why they launched Pwnium. What we believe they fail to realize is that, for the $60,000 they are offering, it is incredibly unlikely that anyone will participate. For example, a quote from a prior Pwn2Own winner: https://twitter.com/#!/VUPEN: "Google canceled its sponsorship of #pwn2own and launched its own #pwnium. To win, report your sophisticated exploit. We're not interested!".
http://dvlabs.tippingpoint.com/blog/2012/02/29/pwn2own-and-p...