Are Bug Bounty Programmes a good thing or a bad thing?
Here’s another of those debates that confound the security industry, like ‘should security firms employ proven security experts if they’re ex-hackers?’ and ‘which is right: full disclosure or responsible disclosure?’. This one is ‘should the security industry pay a reward for vulnerabilities?’
The argument against is given by Anthony Haywood, CTO at Idappcom; a company strong in application security and management, and vulnerability assessment; the trigger is news that Barracuda Networks has launched a bug bounty programme, with ‘a cash prize ranging from $500 to $3133.7, depending on the severity of the vulnerability’.
Barracuda Networks Inc. today announced the Barracuda Security Bug Bounty Program, an initiative that rewards researchers who identify and report security vulnerabilities in the company’s security product line…
“Security product vendors should be at the forefront of promoting security research,” said Dr. Paul Judge, chief research officer at Barracuda Networks. “This initiative reflects our commitment to our customers and the security community at large. The goal of this program is to reward researchers for their hard work as well as to promote and encourage responsible disclosure.”
Barracuda’s Bug Bounty Scheme
Anthony Haywood is agin it. He believes that there is a significant danger that it will attract developers into researching the vendor’s products and then offering them to the highest bidder. Personally, I think this is already happening. But if the legitimate industry offers nothing, then the illegitimate industry is all that is left. A good zero-day exploit could be worth anything from tens of thousands of dollars to hundreds of thousands of dollars to the criminal fraternity. Those researchers who will sell to the highest bidder are already doing so.
And, of course, if the bug is a really serious one that cybercriminals can exploit to generate fraudulent revenue, there is a significant danger of the exploit information falling into the dark ecosystem that black hat hackers – as well as cybercriminals – now inhabit.
I would suggest that this is less likely to happen with Barracuda’s bounty programme than if there were no legitimate reward.
Whilst even organisations like Google and Mozilla offer juicy sums of money for bugs in their software, you are going to get other vendors following suit. But just because it is becoming the norm for the IT industry, does not make it in the long-term interests of our market sector…
…The irony of the situation is that, as well as paying indirectly for the bug bounty schemes, end users of IT security systems, software and services also end up `paying’ as the tide of malware and other electronic mayhem rises as a result.
This is a cause and effect situation. No one really wins in the longer term from bug bounty programs. And that’s why we say that they are not in the real interests of our industry.
Personally, I disagree with this interpretation just about, well, totally. Firstly, software vendors demanding what they describe as ‘responsible disclosure’ without a reward is the same as demanding that security researchers act as unpaid employees, effectively undertaking and reporting unpaid security code audits. And secondly, security researchers, whether white hat or black hat, do not create the vulnerabilities. They merely discover them. So if a white hat researcher doesn’t find it first, sooner or later (and possibly already) a black hat researcher will do so. I would much rather a good guy find the vulnerability and pocket $3000 by disclosing to the vendor a vulnerability that can now be fixed; than a black hat researcher sell it to a criminal gang for a lot more money.
The current system isn’t working. Criminals are getting more and more organised, and there seems to be an inexhaustible supply of vulnerabilities. Researchers don’t make these vulnerabilities; it is the software developer that creates the software vulnerabilities. Therefore the software vendor is responsible. And where responsibility lies, there too should lie redress. So this is my proposal. All software vendors should have a choice. Either they should be responsible for loss caused by vulnerabilities in their software; or they should offer a reward program. This will force the vendor to behave more responsibly. He will increase efforts to release secure software, because failure to do so will prove very expensive. Either he will be liable for his users’ losses, or he will choose to pay a reward to freelance researchers for responsible disclosure. My bet is that 100%, give or take nothing, will opt for the reward scheme. So, rather than be castigated, bug bounty schemes should be applauded, and possibly compulsory.