Full Report
Those of you who were around in 2001 will recall http://anti.security.is (anti-sec f.a.q).. The sentiment pops up periodically (in different forms) and it seems like CansecWest this year has seen a resurgence of it.. From Charlie Millers comments on the Safari bug: “Did you consider reporting the vulnerability to Apple? I never give up free bugs. I have a new campaign. It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.”
Analysis Summary
# Main Topic
The resurgence of the "No More Free Bugs" sentiment within the security community, exemplified by researcher Charlie Miller's stance on not disclosing vulnerabilities to vendors like Apple without compensation, contrasting with traditional anti-security/full disclosure stances.
## Key Points
- The sentiment is described as a recurring theme, recently observed following discussions at CansecWest surrounding a Safari vulnerability disclosed by Charlie Miller.
- Charlie Miller explicitly launched a campaign called "NO MORE FREE BUGS," asserting that vulnerabilities have market value and researchers should not give away hard-won exploits when vendors (like Apple) pay others for similar work.
- This stance generated debate, with critics, such as Ross Thomas from SophosLabs, expressing concern over the safety and privacy implications of withholding vulnerability information.
- The article references a historical parallel to the sentiment found in the 2001 anti-security FAQ found at `hxxp://anti[.]security[.]is`.
## Threat Actors
- **Charlie Miller:** Key proponent of the "No More Free Bugs" campaign.
- **Internet Security's "Nils":** Mentioned for elite browser trifacta exploitation across Safari, IE8, and Firefox, although not directly linked to the bug disclosure debate, they are noted as a significant figure in exploitation.
## TTPs
- The *topic* revolves around vulnerability discovery and disclosure strategy rather than active attack TTPs.
- Specific technical details of the Safari bug are not provided, but the context implies the existence of working exploits for multiple browsers (Safari, IE8, Firefox) being demonstrated or discussed.
## Affected Systems
- **Apple Safari:** Explicitly mentioned in relation to Charlie Miller's comments and the context of vulnerability compensation.
- **Microsoft Internet Explorer 8 (IE8):** Mentioned in connection with exploitation techniques demonstrated by "Nils."
- **Mozilla Firefox:** Mentioned in connection with exploitation techniques demonstrated by "Nils."
## Mitigations
- No concrete defensive mitigations are explicitly listed in the context provided, as the focus is on disclosure ethics and researcher compensation models.
- The implied resolution, based on the opposing viewpoint, is responsible disclosure to the vendor for patching.
## Conclusion
The current security landscape is seeing a philosophical shift where high-value bug discovery is shifting from a purely altruistic disclosure model toward an economic one, driven by researcher recognition of market value. While this debate polarizes the community regarding user safety versus researcher compensation, it forces vendors to acknowledge a tangible market price for zero-day knowledge.