ISS Criticizes TippingPoint For Sponsoring Hacking Competition

IBM's ISS unit has severely reprimanded TippingPoint for patronizing the hacking contest where the QuickTime vulnerability in Apple's browser - Safari - became public.

This is not the only time that such criticism has arisen. Rich Mogull and Greg Young, the two analysts from Gartner have similarly brought to point the issue in the second week of May 2007. They spoke against the April 2007 CanSecWest conference where U.S. $10,000 was put up as prize money for the hacker of Apple computers. They wrote a research paper entitled "QuickTime vulnerability exposed by contest poses wide risk" where they said that security services firms and vendors should stop marketing vulnerability in public events so that unanticipated consequences do not put IT users at risk. Gartner published the research paper on April 30, 2007. MacWorld reported this on May 2, 2007.

The report that was presented after an open challenge to find a flaw in Mac operating system triggered off discovery of security loopholes, in public, that would impact on all browsers on any operating system with QucikTime 2 running on it. TippingPoint said they would inform Apple privately, but many believed that other channels could already have made the exploit information public.

According to a statement by Kris Lamb of ISS, the public discussions regarding the contest has put numerous companies at risk of potential compromise through attacks on browsers. Lamb further said that the contest was a very good demonstration of consequences when security companies do not separate marketing exclusively from vulnerability research. PCworld published Lamb's statement on May 14, 2007.

IBM Internet security systems believe similarly when Gartner says that 'public vulnerability research' and 'hacking competitions' are dangerous attempts that can oppose 'responsible discovery practices'. It is because of such argument that IBM ISS strictly abides by its 'responsible disclosure guidelines'.

The problem outlines of this dispute were laid in 2005-2006 when TippingPoint launched its Zero-Day Initiative. At that time the present owners 3Com had not yet acquired TippingPoint. The scheme paid to researchers for reporting vulnerabilities that the company would then include it into its corporate security system. The security system is subscription based.

Related article: ICC Cup Event Could Be Fodder for Phishers

» SPAMfighter News - 5/22/2007