How much is a security flaw worth? An inside look into Yahoo鈥檚 bug bounty program
Every week, the Paranoids 鈥 charged with protecting the digital security of Yahoo's more than 1 billion users 鈥 discuss one of the more mysterious parts of the cybersecurity business: How much is a security flaw worth?
On a videoconference with digital security teams spanning听New York to California,听the Paranoids assess weekly reports from freelance security researchers who say they found flaws in Yahoo鈥檚 platforms. There, they decide whether a hacker will get a cash prize as high as $15,000 鈥 or just a box of Yahoo-branded swag.
A relatively new part of the cybersecurity ecosystem, so-called bug bounty programs such as this one听give security researchers all over the world an avenue to alert companies to听digital听flaws听and make some cash without fear of prosecution. Their popularity has grown exponentially in recent years, especially as bug bounty coordination firms such as and 听(which coordinates )听make it easier for companies to post their programs鈥 bug-hunting guidelines and cash听prize ranges online for throngs of eager hackers.
Yet even as bug bounty programs mature, deciding exactly how much to pay for a bug is 鈥渙ftentimes more art than science,鈥 says Doug DePerry, senior Paranoid at Yahoo who oversees its bounty program, which has paid out $1.6 million to hackers since its late 2013 inception.
That art is not always easy to explain, even to the researchers who find the flaws. A bug鈥檚 value is determined by a wide variety of factors 鈥 including听how severely it affected the company's security 鈥 in a discussion听behind closed doors. Companies are grappling with how to communicate the reasoning behind their payment decisions with an army of hackers whose help they are actively soliciting, while still protecting their own digital security and safeguarding sensitive business information.
It鈥檚 a delicate balance, and while some bug hunters may be happy to find out they're getting a nice chunk of change 鈥 some, Mr. DePerry says, have made over six figures from Yahoo bounties in the last year alone 鈥撎齩thers may end up feeling jilted.听
鈥淲hether you鈥檝e done 10 minutes or 10 hours of work to submit a bug, you only have what you perceive to be a security issue,鈥 DePerry says. 鈥淯nfortunately, from their perspective, the payment process can be a little opaque. That鈥檚 something we鈥檙e working to rectify but it鈥檚 sensitive, because that can have to do with sensitive company information. At the end of the day, this is a business 鈥 you show your hand too much in security and it鈥檚 going to bite you.鈥
A case that made headlines in the tech press this week illustrates this challenge. Security researcher Behrouz Sadeghipour last week discovered that a vulnerability that plagued ImageMagick, a popular image-processing software suite, to target Polyvore, a fashion e-commerce website acquired by Yahoo last year. Mr. Sadeghipour filed a report explaining how he uploaded a fake image file, gleaned from that previously known ImageMagick vulnerability, as his profile picture on Polyvore and was able to access its server.
Sadeghipour made $2,000 and Yahoo says it patched the flaw in under two hours. But Sadeghipour says it wasn鈥檛 enough. 鈥淚 thought I鈥檇 be paid more because of the severity of this vulnerability,鈥 he said.
In deciding how much a bug is worth, the Paranoids ask each other some key questions. Where does the vulnerability sit on the network? Was any kind of data compromised? Was that data sensitive? 鈥淔or the most part, the type of vulnerabilities that can affect a larger population are worth more money, because typically they鈥檙e few and far between, and because patching that one security hole can greatly increase your security,鈥 DePerry says. 鈥淎 flaw that affects hundreds or thousands or millions of users is a big deal,鈥 he says. 鈥淭hat鈥檚 worth good money to me."
In this case, for instance, Yahoo says it paid Sadeghipour that particular amount because the ImageMagick vulnerability he used was already public; DePerry says his team already knew about it. ImageMagick is also a third party library 鈥 meaning Yahoo did not write the code where the original bug was found. What鈥檚 more, the issue Sadeghipour focused on was in Polyvore, rather than one of Yahoo鈥檚 core domains, which does not store sensitive data or have access to听Yahoo user data.
For his part, Sadeghipour says he had no way of verifying whether there was actually sensitive information accessible from that server because the constraints of the bug bounty program forbade him from trying to leverage his access to infiltrate the company further. 鈥淚 got underpaid, but there鈥檚 not much to do about it,鈥 he says. 鈥淚t is what it is. The fact that I can report it and still not get sued for it is still better than nothing.鈥
As bug bounties grow more mainstream, there are听even more opportunities for听hackers听to make money than ever before. Tech companies such as Google and Twitter are not the only ones with bounty programs 鈥 automakers such as Tesla and General Motors, and even financial services including Western Union and Square, have hopped on the vulnerability disclosure program bandwagon.
The competition has created a largely self-regulated market, since, if researchers don鈥檛 like the prices companies are willing to pay, they can try another program to see if it鈥檚 more lucrative, says Katie Moussouris, who consults companies and governments on vulnerability disclosure programs as founder of Luta Security. 鈥淭hat鈥檚 the beauty of an open market,鈥 she says. 鈥淲hen they discover a bug, hackers have a choice about what to do with it.鈥
In some cases, the companies responsible for the products might not be the only ones interested in buying bugs. As the defense market and bug bounty programs mature and become more professional 鈥 so, too, is the dynamic underground market to buy and sell vulnerabilities for cyberattacks.
Some these companies on the so-called 鈥渙ffense market鈥 have started advertising what they will pay for previously unknown hacking tools they can resell to customers 鈥 and not back to the company for fixing. Premium exploit acquisition firm Zerodium, for instance, boasts that it pays 鈥渂ig bounties, not bug bounties鈥: It shelled out for a new tool to remotely hack an iPhone last year.
Other price points were revealed in , an Italian company that sells surveillance tools and malware to governments and companies around the world, which Moussouris notes appeared to assign greater value to those that were sold exclusively to them 鈥 so that they could be exploited for longer.
Even the FBI had to quantify, at least internally for the purposes of a secret contract, exactly how much one flaw was worth to its investigation. FBI Director James Comey recently hinted that the government may have paid around $1 million to an undisclosed contractor to hack into the iPhone 5C used by the San Bernardino, Calif., shooter after Apple refused to help bypass built-in security features on the device. Though later cast doubts on his public estimate, this type of open, such public discussion and speculation about prices for bugs on both offense and defense markets is a relatively new phenomenon 鈥 鈥渁nd it will be interesting to see how it plays out鈥 in the hacker community, Moussouris says.
The newfound transparency has made one thing clear: 鈥淭he prices for people buying vulnerabilities in order to use them for attacks is always going to be much higher than the defense market, which includes bug bounties,鈥 Moussouris says.
But hackers aren鈥檛 exclusively motivated by money. The growing convenience of bug bounty programs can be alluring. 鈥淚nstead of finding an offense market or a buyer, it鈥檚 now very straightforward now to go to an organization and report a bug 鈥 and not be arrested,鈥 Moussouris says. What鈥檚 more: If the hackers are themselves consumers of those products, their own security will improve if their bug is patched.
So will everyone else鈥檚.
And that鈥檚 why companies like Yahoo say they are taking the transparency challenge seriously. 鈥淭he more fairly you treat your researchers, the more likely they are to come back and continue looking at your code, and with the overall breadth and depth of Yahoo we need all the eyeballs we can get,鈥 Yahoo's听DePerry says.
In the coming weeks, Yahoo is planning to release a blog post explaining more in detail the inner workings of how it assigns bounties to bugs, and internally, decide on more clear guidelines for that process.
At the end of the day, though, 鈥渋t will never be 100 percent science,鈥 DePerry says.
听
