A security researcher has demanded that FireEye pay him for several zero-day vulnerabilities he found in the firm’s security products, and he has threatened that he will otherwise remain silent about the bugs’ details.
Over the long weekend, news broke about how researcher Kristian Erik Hermansen had discovered at least four zero-day vulnerabilities in FireEye’s products.
Hermansen published proof-of-concept code demonstrating how he could exploit the vulnerability, which according to CSO Online appears to be centered in a PHP script on one of FireEye’s forward-facing web appliances.
“Just one of many handfuls of FireEye / Mandiant 0day,” Hermansen claims in a post published on Pastebin. “Been sitting on this for more than 18 months with no fix from those security ‘experts’ at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process.”
In a statement shared with the media, FireEye reached out to Hermansen and Ron Perris, a fellow security researcher, in an attempt to remind them of the importance of responsible disclosure:
“This morning, FireEye learned of four potential security issues in our products from Kristian Hermansen’s public disclosure of them being available for purchase,” the statement reads. “We appreciate the efforts of security researchers like Kristian Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure.”
However, Hermansen has taken issue with FireEye for allegedly not paying attention to his efforts sooner.
“What frustrates me is they are all ears now, when they ignored the issues for a long time,” he said, according to an article posted on CSO Online. “When they implement a bug bounty or security rewards process I will reply to them. Until then, they get cold silence as reciprocity. They have been giving me lip service about implementing such a program for more than a year. Let them announce it publicly and then I will talk to them again. I’m sure there are lots of other bugs in their products that are not yet disclosed.”
The article goes on to state that Hermansen and Perris may have found upwards of thirty additional vulnerabilities to which FireEye’s products are vulnerable.
Hermansen is currently asking $10,000 for each of the four zero-day vulnerabilities announced over the weekend.
This is a tricky situation.
Clearly, Hermansen is aggravated that FireEye has not (so far) rewarded him for his discovery.
Ultimately, all of this is besides the point.
As a security researcher, Hermansen should realize that his actions are bound towards helping users remain safe online. The manner in which he has conducted himself since announcing the four zero-day vulnerabilities, however, suggests that he is primarily interested in personal gain.
Once again, we see the extent to which human behavior affects computer security and how poor choices beget insecure consequences for us all.