Researcher wants cash for flaws

A security researcher is trying to garner funds to set up his own company by charging for details of software flaws.

Adam Gowdiak says he has identified flaws in Java technology used on Nokia's Series 40 phone operating system and has built two exploits that could be used to subvert systems running the code. He is asking Nokia and Sun for €20,000 to see his proof and amend the flaws but has not ruled out selling it to third parties.

"We plan to deal with professional and serious companies from the security, telecommunication, anti-virus and government industries. Thus, we will not fulfil every single party's request for early access to our research material," he says on his site. "We can't do anything about the leak occurring at one of these companies. In case of a leak, we will immediately inform the public about its occurrence."

In the forward to his paper Gowdiak claims that the flaws would allow a hacker to control certain functions of a mobile phone running Nokia’s Series 40 operating system just by knowing the phone number of the phone.

Once into the phone it could be programmed to call high cost phone services or send duplicate copies of SMS messages or even turn the phone into a sound recorder.

The move is a break from standard security research, where vendors are informed of any flaws and researchers make their money from consultancy. Gowdiak says this would not give him the freedom to do the research he wants but that he had given the companies a brief update on the flaws.

“If one takes into account that experienced and skilled third parties charge between $200 to $250 per hour for security evaluation services, €20,000 is equal to three to four weeks of work. So, you get the six months of work for the price of one month,” he said.