There is a growing controversy over the business of selling zero-day exploits, that is bugs in software that can be exploited by malware. I say controversy because it is perfectly legal in the U.S. and many other jurisdictions for someone to discover a zero-day, not report it to the software vendor, and then sell information about it to third parties. And there is a rising chorus of calls for government to intervene in this practice. It occurred to me that software vendors are ignoring an existing legal tool that would let them crack down on these practices.
I went and scanned both the Windows 7 EULA and GPLv3 and I can find no language that prohibits someone from disclosing a zero-day exploit to a third-party nor requiring disclosure to the software vendor. Recall that software is not sold, but rather licensed, and the author retains substantial rights over your use of the software. So it should be possible for software vendors to include language in their licenses that make it a violation of the license to sell zero-day exploits.
There are models that could be followed for creating restrictions on zero-day exploit disclosure. Many years (actually decades at this point) ago Oracle added language to its database system license to prohibit disclosure of benchmark results. Other database vendors eventually followed. This later spread to other software and, for example, the Windows 7 EULA places some restrictions on the publishing of .NET benchmark information.
It even seems to me that the GPL, as well as other Open Source licenses, could be modified to limit disclosure of zero-day exploits. One would think that mandating disclosure to the original copyright holder before any other disclosure is in the spirit of the GPL.
Can this work? Well, it can help. Legitimate entities like Vupen have little choice but to adhere to licensing restrictions or face crushing legal consequences. And while black hat hackers will largely laugh at these restrictions, it does open up another avenue for targeting their activities with the legal system.
And what of those calls for further government regulation? Well I’d say that chances are 99% that any new laws or regulation will exempt sale or other disclosure to government entities. And while that seems like that might be ok it has many negatives. First, it keeps alive the business of selling exploits. Second, it creates a loophole that allows sales to government entities that may be less than friendly. Third, it legitimizes keeping vulnerabilities in software unpatched to allow for cyber “warfare” or other government sponsored attacks. Fourth, it could lead to all kinds of unintended consequences such as bringing more software under munitions control regulatory schemes.
Even if you dismiss my concerns about the negative consequences of additional government regulation, any such regulation will leave gaps that my proposed solution can fill in. For example new U.S. law will have limited impact on foreign actors, but a software vendor can create contractual obligations that apply in most jurisdictions without requiring new authority from the governments of those jurisdictions.
Hal's (Im)Perfect Vision 
Great idea: let’s severely restrict or outright eliminate all legitimate venues for selling zero-day exploit information, so independent security experts looking for a quick cash-in can only resort to the black market!
I’m sure that keeping security firms and software makers from buying information about standing exploits will work wonders to our already besieged industry!
Agreed. If a vendor doesn’t have the hired expertise on its’ payroll then what’s the problem allowing skilled professionals to do the work. They’re not sitting around doing something for nothing. Way to suggest killing an industry niche.
So you are ok with Vupen’s “We wouldn’t share this with Google for even $1 million”, so they can sell it to others who would exploit the vulnerability? That’s not ok, and it certainly isn’t in the interest of the software vendor. So I see no reason a software vendor should enable this “business” by allowing it in their license.
Then again, I see no reason why a software vendor should enable this “business” by keeping known vulnerabilities unpatched for months on end, but there you have it – re Oracle and the latest Java security debacle.
What bothers me is this notion that everything would be fine if just people weren’t allowed to share these little dirty software secrets. Problem is, we cannot stop them; attempting to do it only breeds a false sense of security, which makes things worse. I’d rather have software vendors perpetually on their toes, always wondering who else might be scanning their products and what they might have found, than let them pretend they can legislate the problem away.
I totally agree with you about vendors not fixing known vulnerabilities! Now it may be that they evaluate a report and miscategorize the threat as being very low or even non-existent. And given that any software change runs a high risk of introducing new bugs don’t want to make changes that aren’t necessary. But some vendors, Oracle amongst them, don’t have a history of being particularly pro-active in getting out security fixes.
I don’t believe the sale of exploits encourages vendors to be “on their toes”. Instead it leaves them frustrated that they weren’t told about a vulnerability before an exploit made it into the wild.
I agree that refusing to do business with the vendor of the vulnerable software is a rather jerky thing to do. Other than that I think that a legitimate exploit market is just what we need to blow away this delusional notion that it’s alright to keep a security hole open if “nobody knows”.
Let’s do a quick thought experiment. Imagine a software vendor is approached by a security expert who shares details of a zero-day vulnerability on one of their products. Then they say one of two things:
1. “I won’t tell anyone else about this vulnerability, so take your time to plug it”
2. “I will also share these details to anyone who pays my price”
Which of these do you think will get the vendor most motivated to do something about the vulnerability?
So rather than curb the exploit market, I’d rather have the vendors share in it – either by prohibiting exploit dealers from selling information without first sharing them with vendors, or by demanding they do business at market rates.
See http://www.microsoft.com/security/msrc/report/disclosure.aspx
“[F]inders disclose newly discovered vulnerabilities […] directly to the vendors of the affected product […]. The finder allows the vendor the opportunity to diagnose and offer […] corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the finder throughout the vulnerability investigation and provides the finder with updates on case progress.”
That’s just what was done in the case of the latest Java security hole, and we all know how well it went.
I agree. Just make it a condition of the license that while you can sell the exploit to third parties, you must also disclose it to the vendor if you do. That way vendors with the capacity to fix their products still get the opportunity to do so, or else they can refer to a trusted third party security solution.
How about another revenue stream for the vendor? Write the software, ensure there are carefully placed bugs, sell the info via an alias and make some more money from your program. This is an ever recurring revenue stream when patches can introduce more lovely bugs to sell info about. Make a really usefull program or web app, give it away for free, get as many people as possible using it….make money by selling bug info. Why do you think they don’t have these provisions in the EULA…get with the program HAHAHAHA, what a joke. Just don’t do too many bugs or they might figure it out. I want to know who buys the information and what their intentions are. I have my suspicions.
Can’t sympathize with the S/W sellers who “own” the S/W you bought, along with the disclaimer they are not responsible for any damage their S/W might do to your computer (even that caused by the exploits found in their S/W). Until the S/W vendors stop “screwing” the customers with the some of the silly EULA restrictions and the like, then I have no problem getting a dose of medicine by those finding those exploits. After all, if someone wipes out your bank account because of an exploit, the S/W seller isn’t going to take responsibility.
And it’s not the author of the software who pays the price either, it is the end-user.
Who defines what a vulnerability is? What you are saying, as I interpret it, is that the only way that a piece of software can be used is in exactly the fashion described by the vendor. Use MS PowerPoint as a photo gallery, that’s an exploit and you are now a criminal.
Sorry, but this is not an option.
Umm, that sounds like a nonsense scenario. And it wouldn’t be a crime, it would be a contract violation.
That’s the point of the scenario, it’s a nonsense, like trying to define what constitutes an exploit (yes, it’s easy to say “an exploit is a way for an attacker to gain unauthorized access to a user’s machine” but then you have to define exactly how the software should be used because the range of misuse could be vast)
I don’t think it would be all that hard for the lawyers to properly and narrowly define this. I’ve already pointed out the benchmark clauses that database and app server vendors use, but there are other examples. Microsoft has in the past (and I haven’t studied EULA’s to see if it still does so explicitly) prohibited you from redistributing certain of its components in a competitor to the Office products. That is, you can create your own spreadsheet program using those technologies but you can’t distribute it to anyone else. In other words, your rights to use the software are already narrowly defined by most license agreements. And the Microsoft license agreements already contain a list of things that the license does NOT convey you the rights to do. It may be as simple as adding a bullet point to that section. But again, it is up to the lawyers to figure out how to do this without impacting the normal usage of the product (in other words, where 99.999% of users would never need to care that this prohibition was added).
Actually, while the idea is attractive, I’m not sure it’s possible – this kind of clause is essentially attempting to limit an individual’s right to sell their knowledge on a topic without the vendor’s permission. Especially with a EULA, which as far as I know is a fairly vulnerable contract (since it’s not “signed” by either party)
The “No Benchmark” clauses, which are definitely “knowledge” not code, have been quite successful on the legal front. And the EULA is definitely something you “sign” (i.e., they make you actively acknowledge your acceptance of the license agreement) as part the installation of most software products.
I don’t know why you’re trying to turn more people into criminals. I’ll never support anyone who runs to the government to bring about force against others. Let the IT security industry play out and evolve.
It’s kinda silly isn’t it? If calling the G-Men ever solved anything, we wouldn’t need an IT security industry to begin with.
Remember when the DeCSS algorithm was outlawed, and unauthorized DVD decryption immediately stopped? I bet this would play out just the same.
It’s naive to think a market could be legislated out of existence. At most markets can be outlawed – thus ensuring they will develop without any kind of control.