Security experts hit out at "unethical" bug finder

Security experts have hit out at US firm Immunity Inc, which provides paid-up members with vulnerability information under non-disclosure agreements (NDA), which it subsequently keeps from vendors and the world at large.

A silicon.com article last week revealed Immunity and its founder Dave Aitel have been causing a stir in the security world in recent months with a business model branded "unethical" but entirely above-board.

The greatest source of growing concern appears to focus on the NDA and the potential for anybody to sign up and pay the price for notification of vulnerabilities.

One rival bug finder, who operates along the more traditional lines of informing the affected vendor of the flaw in its product and working with them to patch it before releasing any details of the vulnerability, has hit out at Immunity Inc.

Drew Copley, senior research engineer at eEye Digital Security, told silicon.com the situation of signing members to a non-disclosure agreement in return for information on security vulnerabilities is "extremely unethical".

"What are these people missing here?" asked Copley. "Are they crazy? What prevents any organised criminal group or criminal from getting on there and signing a NDA?"

"We treat security vulnerabilities that are not fixed yet by the vendor as state secrets. Selling them to anyone who would pose as a company or sign a NDA is highly unethical."

Copley said even "total disclosure", whereby everybody – vendors, researchers and the general public alike - is given the information at the same time would be preferable.

eEye was last week credited for working with Computer Associates to fix flaws in CA's licensing software.

Simon Perry, VP security strategy at CA, told silicon.com: "Knowledge cannot be effectively controlled. NDAs in the IT community as a whole are not taken seriously and there do not appear to be adequate controls to ensure that the information does not leak to those who have an interest in creating a dangerous exploit."

"The business model deliberately creates a culture of the security haves, and the security have-nots. It does not improve security overall," he added.

Perry also questioned whether Aitel's customers are getting value for money. Because vendors are kept out of the loop, flaws go un-patched while Immunity's customers are given a workaround.

"You're given a workaround by Immunity, but you don't have a fix – a patch from the vendor that permanently addresses the problem. The door is closed, but it's not locked shut."