Cash For Apple Exploit?

TippingPoint got security tongues wagging again with a $10,000 bounty to a security researcher who won a hacking contest at a regional security event in Canada.

LARRY HOOPER Can be reached via e-mail at lrhooper@cmp.com.

The security vendor's Zero Day Initiative, which pays would-be hackers or security researchers for vulnerabilities or exploits uncovered, has been controversial since its inception. But extending the bounty to someone who won a hacking contest raised the hackles of the security establishment to new levels.

In this case, at the CanSecWest conference in Vancouver, British Columbia, security researcher Dino Dai Zovi won the contest by creating a QuickTime exploit and using it to take over a MacBook laptop. At the event, Zovi won the MacBook for his efforts.

As a rule, security vendors tend not to involve themselves in these types of contests because they fear it will feed the conspiracy theorists' speculation of vendors capitalizing on their own vulnerabilities. So, TippingPoint's decision to give Zovi $10,000 for the exploit didn't sit particularly well.

One McAfee researcher took TippingPoint to task, accusing the company of tarnishing the reputation of the industry as a whole. "The antivirus community, long the target of [bogus] claims that they write viruses to make money, wouldn't touch a contest like this with a barge-pole," McAfee researcher Rahul Kashyap wrote on his blog.

Others said the extra attention could lead hackers to reverse-engineer Apple's patch for the exploit.

Whether you come down on the side of TippingPoint or McAfee, one thing is clear: The IT security industry is still a long way from establishing who, when and how to reveal vulnerabilities that could have seriously detrimental effects.

And while security researchers debate the concept of freedom of information vs. protection from an academic, ivory tower perspective, the industry as a whole loses credibility.

With each new security breach, consumers and business owners become less and less confident in the safety of their information and the systems they use to communicate, conduct business, shop, bank and pay bills.

So, whatever system of disclosure the industry finally settles on to disclose vulnerabilities, user confidence should be top of mind in the decision-making process. Because without user confidence, security is irrelevant.

Should we pay for vulnerabilities? Send your thoughts to lrhooper@cmp.com.