A security researcher has demanded that FireEye pay him for several zero-day vulnerabilities he found in the firm’s security products, and he has threatened that he will otherwise remain silent about the bugs’ details.
Over the long weekend, news broke about how researcher Kristian Erik Hermansen had discovered at least four zero-day vulnerabilities in FireEye’s products.
Hermansen published proof-of-concept code demonstrating how he could exploit the vulnerability, which according to CSO Online appears to be centered in a PHP script on one of FireEye’s forward-facing web appliances.
“Just one of many handfuls of FireEye / Mandiant 0day,” Hermansen claims in a post published on Pastebin. “Been sitting on this for more than 18 months with no fix from those security ‘experts’ at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process.”
In a statement shared with the media, FireEye reached out to Hermansen and Ron Perris, a fellow security researcher, in an attempt to remind them of the importance of responsible disclosure:
“This morning, FireEye learned of four potential security issues in our products from Kristian Hermansen’s public disclosure of them being available for purchase,” the statement reads. “We appreciate the efforts of security researchers like Kristian Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure.”
However, Hermansen has taken issue with FireEye for allegedly not paying attention to his efforts sooner.
“What frustrates me is they are all ears now, when they ignored the issues for a long time,” he said, according to an article posted on CSO Online. “When they implement a bug bounty or security rewards process I will reply to them. Until then, they get cold silence as reciprocity. They have been giving me lip service about implementing such a program for more than a year. Let them announce it publicly and then I will talk to them again. I’m sure there are lots of other bugs in their products that are not yet disclosed.”
The article goes on to state that Hermansen and Perris may have found upwards of thirty additional vulnerabilities to which FireEye’s products are vulnerable.
Hermansen is currently asking $10,000 for each of the four zero-day vulnerabilities announced over the weekend.
This is a tricky situation.
Clearly, Hermansen is aggravated that FireEye has not (so far) rewarded him for his discovery.
Ultimately, all of this is besides the point.
As a security researcher, Hermansen should realize that his actions are bound towards helping users remain safe online. The manner in which he has conducted himself since announcing the four zero-day vulnerabilities, however, suggests that he is primarily interested in personal gain.
Once again, we see the extent to which human behavior affects computer security and how poor choices beget insecure consequences for us all.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
9 comments on “Researcher demands FireEye pay up for zero-day vulnerabilities or suffer his ‘cold silence’”
You can spin that "personal gain" thing both ways.
If FireEye weren't unwilling to pay, the vulnerabilities wouldn't still exist in the wild.
"Sure," you might reply, "but why should they have to?" Indeed, they don't have to. They can instead choose to be more focused on short-term gains.
I'm having a hard time summoning much sympathy for the idea that security researchers have some sort of *obligation* to help for-profit security companies free of charge. Corporations have screwed that particular pooch so many times that it's a small wonder they're finding themselves bitten.
That's a good point, Adrian. I suppose it comes down to these security firms' analysis of whether a bug bounty is in their interest, not to mention how that evaluation might grate against the manner in which individual security researchers choose to disclose vulnerabilities. I don't know if anyone is right in this particular instance…it might just be a difference of philosophy when it comes to the manner in which these two actors feel disclosure should proceed.
Bug Bounty programs have created this problem. If the researcher really wanted to give up the information, he could. However, the varying amounts of bug bounty programs has created this behavior. This is exactly why I don't like bug bounty programs, as they make the entire process of discovering, disclosing and reporting these bugs to companies without them a tangled mess.
I don't approve of bug bounties, and never have. Companies should be held liable for their products, be they tangible or intangible. it's the only way we're going to see a change in behavior for products that require coding and perform some level of security on behalf of a customer, purchaser, user, etc.
That's my 2¢, YMMV.
"As a security researcher, Hermansen should realize that his actions are bound towards helping users remain safe online. The manner in which he has conducted himself since announcing the four zero-day vulnerabilities, however, suggests that he is primarily interested in personal gain."
Why do you get to be the judge here? He found the issues, he doesn't owe them, or anyone, anything.
He has no obligation to '[help] users remain safe online."
If he wants to sell them, that's his prerogative. Maybe that's how he's decided to make a living. He has no moral obligation to subscribe to the tenets of Responsible Disclosure… especially after FEYE jerked him around this long.
Do you feel the same way about companies like Exodus Intel, who do similar things, albeit in a different way?
You clearly hold grudges – or similar. Let me spell it for you:
You're being judgemental but you question why he gets to be the judge. Hypocrisy mean anything to you? He's not judging anyone, anyway – he's giving his opinion. Perhaps you weren't aware of the definition of opinion. May I suggest a dictionary? Pay attention to the part that an opinion doesn't require facts – in fact, you can simply have a personal opinion over what is the best food type(s): if I say there is no better food than Japanese (which I would claim is 'true' except if I'm wanting desserts) that is my opinion; if someone else says that I'm wrong and there is no better food than Italian, that is their opinion. Neither of us are right or wrong. That doesn't involve truth or false, does it? But both are opinions.
"He has no moral obligation to subscribe"
You mean legal obligation. There are pros and cons of each way of revealing a flaw (security or otherwise). But logically if he wanted money he could abuse the black market that governments (stupidly) help. Furthermore, it is his attitude that I personally (note the above) have a problem with. Essentially, he's acting like a spoilt brat who didn't get his own way this one time – and now he's telling his parents off for ruining his life.
You're right: he is perfectly at liberty to manage it the way he likes. But that doesn't mean others aren't allowed to share their view – like you're doing while simultaneously criticising others for the same thing. Hypocrite.
>As a security researcher, Hermansen should realize that his actions are bound towards helping users remain safe online.
Unless you're a security researcher for NSA/GCHQ etc…
I wonder why this chap didn't sell his exploits to a 0day broker or the like?
Aw, come on, FireEye is HUGE! The founder is a billionaire and the company can, hence, definitely afford much more than $40,000 to take care of something which will probably cost them more than that in lost profits because of these holes in a security firm's security! He should be paid, period!
A discovered vulnerability is intellectual property belonging to the person that makes the discovery. In my lifetime I've had some valuable bits of intellectual property stolen simply because I make a mention of it. Eventually you become protective of your intellectual property. By ignoring the bugs reported they are devaluing the intellectual property in the mind of the researcher, that may be part of his aggrevation. In ignoring these vulnerabilities the company is disrespecting the researcher and their responsibility to their users. I'm sort of a "throw the ball in your court and yell at you" kind of person towards irresponsible scumbags that don't fix their trashy stuff. Were I the researcher I'd probably publish ways that script kiddies could exploit the vulnerabilities but that's just me…
The irony is that you're calling them irresponsible scumbags who don't fix their trashy stuff. How do you expect them to FIX what they aren't AWARE OF (especially all those other vulnerabilities they have supposedly found)? And as for the script kiddies remark. It might not even be that (those) kind(s) of exploit(s) – perhaps you're aware of this, considering that you would publish ways for this to be exploited by script kiddies?
But then you have the boldness to claim that a discovered vulnerability is intellectual property belonging to the person that makes the discovery. The vulnerability wouldn't exist without the product. Besides, intellectual property – the concept – is abused far too much (which you're showing). That is before patent trolls who attempt (and often succeed) in getting rights over mathematical standards (and other things like that). A person that is so greedy and so selfish, that they can't publicise a discover that would have positive benefits to all of mankind – including themselves – is a good example of this (and it isn't unheard of).
It seems to me that you too are disgruntled about your so-called IP. I'm sure the same can be said for many other organisations that feel they are so SPECIAL for ABUSING EVOLUTION of technology (etc.) – WITHOUT something they DIDN'T INVENT they WOULDN'T HAVE their 'intellectual' property in the first place.