nCircle VERT Blog

The blogging world has been a little quieter than usual lately... I use Bloglines as my feed reader and previously I could have 700 posts a day to go through... now if I hit 300 it's a busy day. It seems to me that people will grasp at anything to find content to blog about... Everyone picks up the same thing and puts a slightly different twist on it. The latest subjects seem to be Tipping Point/Pwn to Own and Bruce Schneier's comment. I wouldn't normally comment on either of these (they're too popular) but my Bloglines search on the keyword 'nCircle' went off today and it was a post over at McAfee. Questioning why they had triggered my nCircle query I surfed over to the link and checked it out. I was rather surprised to see them taking a shot at Tipping Point for their offer of $10,000 in the CanSecWest Pwn to Own competition. I wondered how nCircle could possibly be mentioned and then I saw it... They referenced a two year old post by a former employee and attempted to use it as ammunition in their obvious attack on Tipping Point.

I find it most interesting that their attack has so little basis that the only ammunition they could find came from a two year old post... The security industry is constantly growing and changing... It's changing so fast that I would consider a post from 6 months ago to be too old to act as a reliable reference.

To further prove that point... I, for one, think that initiatives like ZDI and iDefense are great. That is my opinion though... someone else may post and disagree with me, that's something I enjoy about working at nCircle. I have freedom to have my own opinions and express them on the blog. So when I post these opinions they are my own, and not that of the entire VERT team, but let's get back on topic.

Let's say you're sitting at your computer 5 years ago and you discover a remote code execution vulnerability in Company X's Product Y. Now you could send an email to Company X and maybe have your name show up in small print at the bottom of their website... alternatively you could fire the vulnerability off to a few mailing lists and have everyone know your name. To you the choice you made was insignificant... there wasn't really a benefit to either option and if anything the slight benefit went to the concept of Full Disclosure.

Enter ZDI and iDefense. Now you have a third option, you sell the vulnerability you discover to one of these companies and suddenly everyone benefits. You walk away with some cash in your pocket, the vendor deals with a company that believes in responsible disclosure and the purchaser of the vulnerability has new value-add for it's customers. "Yes we'll identify this vulnerability that the vendor isn't even aware of yet." Everyone wins.

Now let's take a conference... a place where you go to network with others in the industry and absorb large amounts of information. A conference that survives on registration fees and sponsors. In order to publicize the Con they hold a hacking contest. This contest draws more attendees and increases media attention. In order to make the contest even better a third party steps in and offers a cash prize. Now we have more interest in the contest, which in turn causes more media attention. So the conference benefits from increased publicity, the attendees benefit because they've absorbed knowledge and the publicity tells them that the conference will occur again in the future. In addition, the contest winner benefits from a cash prize and the third party sponsor benefits from a new vulnerability. This has got to be better than someone else finding the vulnerability and just setting it loose on the Internet.

In the end I see the negative side effects being non-existent or minimal at most. I say kudos to companies that support these vulnerability purchase initiatives and extra kudos to Tipping Point for willingly stepping forward and supporting CanSecWest.

Other Links:
Thomas Ptacek (Matasano) comments
Tipping Point Comments on QuickTime Flaw