The enquiry manager of TippingPoint , the company that paid $ 10,000 for the QuickTime vulnerability and its associated exploit , refute by saying that at no clock time was there any peril of the vulnerability escape from responsible parties .
Dino Dai Zovi was the first to hack a MacBook Pro at CanSecWest , a Vancouver security system conference hold two weeks ago . For his trouble , Dai Zovi took home the $ 10,000 prize declare oneself by TippingPoint ’s Zero Day Initiative , a bug bounty program that ’s been in operation nearly two twelvemonth .
surety research worker have called the QuickTime bug , which can be exploited through any Java - enabled internet browser , “ very serious . ” Apple on Tuesday patched the vulnerability . In documentation accompanying the QuickTime update , Apple acknowledge Dai Zovi ’s donation .
“ Public exposure research and ‘ hack contests ’ are speculative endeavors , and can track down contrary to responsible revealing practices , whereby vendors are given an opportunity to build up patches or redress before any public announcements , ” enjoin analysts Rich Mogull and Greg Young ina research notepublished by Gartner Monday .
“ exposure research is an extremely valuable endeavor for assure more secure IT . However , lead vulnerability research in a public locus … could potentially lead to mishandling or treating too thinly these vulnerability — which can plow a well - intentioned action into a more ambiguous one , or inadvertently provide aid to attackers . ”
“ There are a lot of definitions of ‘ responsible disclosure , ’ ” retorted Terri Forslof , TippingPoint ’s manager of security measure research . “ What it mean to us is that the vulnerability and its exploit are kept tranquil and the vendor ’s given the sentence to patch the issue .
“ It comes down to the facts of the casing . The [ CanSecWest ] organizers pick out enceinte pain to secure the internet that was in reality used for the challenge . As for the idea that this added some peril [ that the vulnerability would be made public ] , I do n’t regain it to be the case . ”
Mogull and Young recommend that security measure vender call an conclusion to public competition . “ moot ending public vulnerability marketing events , which may extend to unanticipated consequence that endanger IT users , ” they concluded .
“ This was n’t our idea , ” Forslof say . “ We did n’t host this challenge , and we did n’t organise it . It was an on - the - dapple determination [ to volunteer the prize ] . ”
Dai Zovi , who dig up the QuickTime hemipterous insect and crafted an exploit in a 9- to 10 - time of day reaching , has articulate the money was n’t his motive . “ The challenge , especially with the time restraint , was the real draw , ” he said last Friday in an due east - mail interview .
“ On the record , I imagine all vulnerabilities should be disclosed only through the vendor or through a responsible third party , ” said Forslof . “ But users were never at peril here . ”
