In a panic I read the ZDNet article and then checked out the Security Explorations website, carefully pouring over their FAQ’s, etc.
The article leads with “A Polish security researcher has claimed to have found multiple flaws in mobile Java, but is demanding €20,000 in return for full details of the vulnerabilities.”
A quote from the website regarding their dismissal of a vendor lawsuit is also provided.
Now, I didn’t interview the author of this piece of journalism, nor did I contact the former member of the Polish hacking group “LSD”- Adam Gowdiak myself. I am, however, a stickler for details and my reading comprehension skills are still pretty sharp.
There is a fine line between blackmail and extortion- a nuance really- that I won’t bother to discuss because this new business- with its controversial business model is not conducting either.
From the company FAQ:
-----
“Disclosure policy
Vendors responsible for fixing security defects uncovered in a result of our research are issued the so called vulnerability notices containing brief (though sufficient) information about vulnerabilities identified in their products. From that moment, internal security and engineering teams of a given vendor can start their work aiming to fix reported issues.
Security Explorations does not send vulnerability information to the licensees of a given technology. Only original vendors of the affected technology or software are provided with brief vulnerability information.
Vendors and public are informed on the very same day about identified security threats. The public is notified about the existence of a given security weakness, vendors are provided with its brief details.”
-----
What that means to those of us who wrestle with disclosure policies ourselves- is that the vendor gets the vulnerability details for free- it’s the rest of us who have to pay for them. Even if the vendor is still being asked to pay for the full report- it shouldn’t be necessary. I would imagine that the vendor was given enough information to figure out what the flaw is- in fact, I think with the amazing talents of the research community out there, that the public has enough information to figure out what the flaw is. We’ll have to wait and see- but most of us remember what happened to several of the bugs posted on the Wabasabi Labs auction page—and those were just product names and bug titles.
Same old racket- and Gowdiak is in good company- Immunity Sec, iDefense, Argeniss, Digital Armaments and many others who either sell details or exchange information for a fee. The public notice is no different than (although with much more details) our own ZDI “Upcoming” page.
So, for now we can stop accusing this poor little startup of blackmail, and begin discussions on how we feel about the disclosure policy and selling of exploit details itself. Any takers?
