Security industry slams virus reward

A start-up offers a $10,000 reward to any programmer who can get malicious code past its product--and the antivirus community at large isn't pleased.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
2 min read
The antivirus industry lambasted e-mail firewall start-up GateKeeper on Monday, after the company announced a reward for any virus writer who can infect a specific computer protected by its product.

"It is probably one of the most irresponsible things that someone could do," said Vincent Gullotto, director of the Antivirus Emergency Response Team for security services company Network Associates.

The challenge will pay $100 to the first person to get a virus past the company's e-mail gateway and infect a computer on the internal network. The company will also pay $9,900 to the person for information about how they created the virus.

While such challenges have been popular as a way to gather hackers from around the world to crack encryption or test a security product, applying them to the virus-writing scene is irresponsible, said Susan Orbuch, spokeswoman for antivirus software company Trend Micro.

"This type of behavior is incredibly unethical," she said. "It encourages individuals to write viruses. I don't want this company to get publicity. I want them to take (the challenge) down."

Unlike attempts to hack a server, a virus can spread out of control beyond a single computer to the Internet at large, Orbuch said.

GateKeeper's product allows e-mail attachments into the corporate network only if the attachments have been authenticated by the company. Any e-mail containing invalid attachments is quarantined, and the body of the e-mail is sent on to its destination.

Mason Stewart, president of the Leesburg, Va., company, said he discussed the publicity campaign with the company's other four members and decided to go ahead. "I guess there is a certain amount of encouragement" to virus writers, he said. "But there is activity going on regardless."

Instead of criticizing his company, he said, the industry would do well to look at how poorly it has protected computer users against viruses.

"There is some complacency in the industry that they have the situation under control," he said. "I don't think we should get slammed."

Regardless of whether the publicity stunt works, the company could find itself in legal trouble if virus writers start claiming that they wrote viruses for the competition, said Joe Wells, the founder of a comprehensive online dictionary of viruses known as The Wildlist.

"It puts them in the role of, for every virus that is created, being held liable," he said. "They could become the scapegoat for virus writers for a long time."

As part of the protest, Wells intends to write an open letter of protest to GateKeeper.