Bounty programs could swat more bugs with better tools
There's no听question that bug bounties 鈥 rewards offered for information about software flaws 鈥 have been useful in finding and fixing vulnerabilities affecting countless tech companies.听
In fact,听Google announced in February that it was so happy with its "Pwnium" program to find bugs in the Chrome browser, it would expand the budget to "infinity million dollars." The success of bug bounties has even spawned a cottage industry of companies that run bounty programs. HackerOne, for example, operates bounty programs for Twitter and Yahoo.听
But even with the rewards that businesses are offering, many vulnerabilities still听go unreported to firms whose software needs to be repaired. The problem is that interested third parties 鈥 both foreign and domestic government agencies and sometimes criminals 鈥 are willing to pay handsomely for the bugs to use for their own means.听
Companies offer bounties that range from mentions on a website or T-shirt or payment that's rarely more than听a few thousand dollars. Facebook, for example, payed an average $1,788 per vulnerability last year. But corporate rewards are no match for open market values. Major vulnerabilities can sell for tens or hundreds of thousands of dollars.听
And as long as that shadowy market exists,听the question is how to shift the balance of power in the vulnerability marketplace听from people looking to purchase bugs they plan to exploit to people who plan to fix them. Or, in industry terms, how can we dry up the market for offense and expand the market for defense?听
The solution might be to create an entirely new marketplace.听
New research that will be presented next week at the RSA Conference听on computer security in San Francisco听says that bug bounty programs should be joined by tool bounty programs.
鈥淚f you talk to people in the offensive market, they don鈥檛 use tools,鈥 says听Katie听Moussouris, chief policy officer of HackerOne, who coauthored the paper with Michael Siegel, principal research scientist at the听MIT听Sloan School of Management听
"They鈥檙e like Neo in 'The听Matrix,' able to see the woman in the red dress right away," says Ms. Moussouris. "Improving tools benefits defense听way more than offense."
Moussouris is putting her money where her mouth is. The Internet Bug Bounty Panel, a听service supported by HackerOne that provides bounties for unfunded open source development, is starting to offer rewards for new tools, as well. The panel will even retroactively provide rewards for tools that have already been built.听
Some tools do exist. One called a fuzzer is a program听designed to use random inputs to crash other systems. Then, an additional tool can be used to听check if those bugs could cause security breaches. But, until now, there hasn't been much incentive to produce and publicize tools 鈥 other than the Internet听equivalent听of civic pride.
The research from Moussouris and Dr. Siegel shows that tools are more than just a viable option for improving defense without impacting offense. It also shows that the obvious solution to improving the defensive vulnerability market 鈥 outspending offense 鈥 may not work.
Last year, Dan Geer, the chief information security officer for the听CIA-affiliated investment firm In-Q-Tel, argued that the US should pay hundreds of thousands of dollars for any vulnerability. That way, he said, it would cut off the nefarious use of the flaws.听
But one problem with that approach,听says听Moussouris, is that that kind of incentive program would听encourage researchers to go after low hanging fruit 鈥 bugs in new, less-vetted products rather than what older, widely adopted ones. A second would be that it would encourage high turnover in software developers. Why stay at Apple, for instance, if your experience working with iOS could help you find millions of dollars in bugs?
The need for better bug-hunting tools is getting support within the security industry.听
"Publicly available tools are many years behind the state of the art," says听Dan Kaminsky, chief scientist of the听security firm White Ops, which is famous for finding a bug in the fundamental architecture of the Internet.
Mr. Kaminsky is a late convert to bounty programs 鈥 before the first ones succeeded, he was loudly against them. He worried that, without some level of quality control, companies would bankrupt themselves paying off people who found minor issues that didn't really rise to the level of threats.
Programs such as HackerOne and its competitor, Bugcrowd, saved the system by being able to competently evaluate which bugs were wastes of time, he says.
In fact, some see more promise in the听Internet Bug Bounty Panel's formal recognition of useful tools than in legitimate bounty programs.听
鈥淚t occurred to me that, if IBB is funding tool research, it delineates where the most effective tools are,鈥澨齭ays Tod Beardsley, the engineering manager of the Metasploit penetration testing tool the security firm Rapid7. "This gives a solid hand in guiding people to things that are legitimately new."
Mr. Beardsley acknowledges he is a little biased against paying for bugs 鈥 the Metasploit software is developed by fiercely听loyal听volunteers working for no rewards.听If offering rewards for听tools to discover bugs proves more effective than offering, well, nothing, he joked, 鈥渨e鈥檙e out of a job.鈥
听
