[tptacek]

I don't like vulnerability markets. It seems to me like a flaw is more valuable before it's patched, and more valuable before it's disclosed. Like plutonium, anything done to make it safer makes it less valuable. If you're going to pay top dollar for something like that, you bother me.

But I have two problems with where you're going.

First, finding a bug in your own time and not telling Apple about it unless they pay you isn't blackmail. Charlie Miller bills $300/hour. His work product is worth money. Apple has no right to confiscate it. If the dilemma was, "pay up or it's going to the Russian Mafia", it'd be blackmail. But if you think Charlie Miller is selling vulnerabilities to the Russian Mafia, you're a jackass.

Second, the reason you don't see me at CanSecWest --- well, one of them, another being that Nils and Charlie and Dino would crush me --- is that I spent all day reversing protocols, writing fuzzers, and finding flaws. For cash. Vendors pay us, and so do large companies that buy from those vendors. It's my day job; it's a job; money changes hands. How is Charlie's proposal different?

I think it is different. But it's way more subtle than you're making out to be. It's also a common industry practice, so making him the face of it isn't a great play.

(You can see where we stand on this: http://www.matasano.com/log/mtso/ethics/).

[riferguson]

I have no problem with you, Charlie, or anyone else being paid top dollar for his or her work, particularly in an important field like security research.

Indeed, I think it's a great idea for Apple and the other vendors to reimburse 3rd parties for high quality results.

But he wasn't saying "I put X hours into this, and therefore it's worth $X*(billing rate)."

He was saying "the market value of this is $Z., and it's more for things that have a greater impact."

I don't know Charlie Miller from a hole in the ground, and so I have no idea if he's going to be selling his work to the Russian Mafia. If you say he's a great guy, I'm sure you're right.

Nevertheless, if he thinks that security exploits have a market value beyond a reasonable billing rate, he's implicitly using the threat of the Bad Guys to raise the value of his work.

That's a very fine line to be walking.

[secres]

Charlie has actually written about this issue before in a more academic context:

weis2007.econinfosec.org/papers/29.pdf

Based on the limited data in the paper, it seems that it's the government rather than the vendors that is actually setting the price in the legitimate market, at least for high quality exploits.

I think the X*(billing rate) calculation ignores the risk that the researcher took. It's a little like saying that a startup should be worth exactly the amount of money that has been invested in it.

[riferguson]

I will go and read the paper. Thanks for the pointer.

[tptacek]

If Charlie Miller doesn't find bugs in Safari, it is more likely that the Russian Mafia will get them from someone else. If Miller decides to boycott Apple security research until Apple pays better --- to just stop doing the work --- is he implicitly using the threat of Bad Guys to raise the value of his work?

[riferguson]

[Let's use "Alice" as the name of our hypothetical security researcher.]

If the Bad Guys can get the exploit from someone else, then Apple equally could pay someone other than Alice to disclose it to them. Your premise assumes the work is fungible.

If the entire set of people (including Alice) who are capable of finding these vulnerabilities conspired to withhold their work and push the White Hat market clearing price up to the level that the Bad Guys will pay, then the answer to your question would be yes.

If it's a market without price fixing, then Alice withholding her work doesn't materially affect the actual price of the exploit to Apple, and in that case the answer to your question is no.

[tptacek]

You're missing the point. Apple isn't matching the market's bid for these vulnerabilities. Clearly, people besides Miller can find Safari flaws; the difference is, when Miller finds them, we know they aren't being sold to organized crime. By your logic, if he stopped, he'd be making things better for the Bad Guys; he's therefore obligated to do the work.

[riferguson]

You're missing mine, I'm afraid: I've made no claim about anyone having to do anything. Indeed, if I was in Charlie's shoes, I wouldn't be working on spec.

Let me put it another way.

There are two markets for exploits: the legitimate one, and the criminal one.

Charlie is participating in the legitimate one. He's going to get paid what the sole counterparty wants to pay him. We can argue about what the counterparty should pay him, but that's up to Apple (in this case), and there are a lot of different things that might enter into their calculation.

An argument that uses the value of the exploit in the criminal market in an attempt to set a value in the legitimate one only makes sense in one of two cases: (a) you're going to take your work and sell it over there, or (b) you claim that someone else either has already discovered or will soon discover the same exploit independently, and will choose to sell it on the criminal market, and therefore the value of your work should reflect the danger of that happening.

In the first case, you're engaging in blackmail.

In the second case, it's just not a very good argument -- because the chance that each element in the chain of reasoning about the value (it's about to be or has already been discovered by someone else, it's going to end up on the black market, it's a substantial risk for a 0-day, etc.) is not true represents a probability that reduces the overall value of your exploit in the legitimate market. Plus, there's the additional reductions in exploit value that come from the vendor not actually caring that much about fixing problems until they're in the wild, or having already found the issue and decided that the particular problem isn't worth fixing for a variety of non-technical reasons, or any one of a dozen other external factors.

Working on spec and then demanding that the vendors match the exploit values that the criminal market is paying is just a Bad Idea, morally and practically.

[tptacek]

Apple pays zero for vulnerabilities, friend. They get them for free. Charlie Miller is saying he's going to stop doing that. Can you blame him?

[cookiecaper]

One's billing rate is determined by the market value of one's services. For instance, I may be able to charge $300/hr for general security consulting to a software vendor, but I cannot expect $300/hr for flipping burgers at a fast food place. It's contextual; there's not one price assigned to one person. If Charlie finds an exploit that could potentially cause a lot of damage, it's perfectly reasonable to expect the vendor to pay a value proportionate to that exploit's potential liability, damages, etc.

Hourly rates are determined based on market rates, and vary from job to job.