Internet Security Systems - AlertCon(TM)

Intellectual Weapons

Posted by Tom Cross on June 08, 2007 at 1:41 PM EDT.

After years of struggling with the subject of vulnerability disclosure, the computer security scene has a generally agreed upon set of ethical standards that are considered responsible. There is a lightly enforced social contract that suggests that responsible researchers should privately disclose vulnerabilities to vendors, that vendors should repair them, and publicly disclose when they are repaired, and that credit should be given to researchers who follow this protocol. This protocol helps ensure that bugs are fixed in a timely manner before they can be used for malicious ends and that credit is given where it is due.

The rise of bug bounty programs raises challenging questions about this social order. Now independent researchers are financially incented to disclose vulnerabilities to third parties instead of disclosing them to the vendors. The jury is still out on the significance of this development to the delicate balance of responsible disclosure. However, one of the predictions that some detractors made when these programs began was that a marketplace for vulnerabilities would be created that would attract interests with less pure motives than those of the security companies that started the market in the first place. This prediction appears to have come true.

Enter Intellectual Weapons. This company is offering to help independent researchers market their vulnerabilities. What is unique about their offering is that they plan to patent vulnerabilities, and their fixes, using a combination of submarine patents and accelerated filing strategies.

The implication of secret vulnerability patents would be that a company could not patch a problem with their software unless they agreed to pay a bounty, even if they independently discovered it, or a third party independently discovered it. More interesting is the trouble faced by independent researchers, who may find themselves facing law suits if they stumble on an undisclosed bug that is patented by Intellectual Weapons and sell it to a bug bounty program or distribute a IPS signature for it.

It’s not clear if Intellectual Weapons will be successful. They don't appear to be willing to take the financial risk associated with their experiment, and independent researchers with bugs to disclose may find it safer to sell them to an existing bounty program. If they do get a bug, it’s possible that they'll be unable to defend their patent rights in court. Likely they would be ignored unless their bugs were sufficiently important and their threats to release them sufficiently credible. (Furthermore, one of my coworkers suggested that the very idea was so outlandish that it might turn out to be a hoax.)

However, suppose they do succeed. Imagine a company holding a vulnerability in secret and threatening to disclose it to the entire world if a bounty is not paid, and even after such a disclosure the vendor would still be unable to patch the vulnerability, and no security company could offer protection, without paying the bounty. The company would literally be able to hold the entire computer industry hostage, holding the reins on an array of organized criminal groups who are committed to attacking computer networks for the purpose of committing fraud, espionage, and other crimes, and essentially demanding that people pay them for the very right to protect themselves. What’s worse is that if this strategy were successful perhaps it could be employed directly by organized crime to simply deny companies the ability to fix vulnerabilities those organizations find useful.

It seems clear to me that this is not ethical. While most vendors in the computer security industry employ patents to protect their technological innovations, generally speaking users are not locked in to paying a particular vendor in order to protect themselves from a particular threat due to an intellectual property regime. If these kinds of loopholes truly exist in patent law, I imagine the legislature would close them rapidly. We may soon find out.      

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.