Until recently, many software vendors refused to even talk about security and anyone researching vulnerabilities in their products was pursued with legal action.
However, most software companies have now softened their stance and encourage researchers to find and report vulnerabilities. But are these programs effective at fixing vulnerabilities or simply crowdsourced security?
Software vulnerabilities largely exist because programmers are under pressure to write code quickly for new products at the expense of secure software development lifecycle (SSDLC) processes. Security often loses out to release schedules leaving bugs to be discovered and fixed later.
Over 200 companies encourage researchers to submit bugs and offer rewards for doing so. Bug bounty programs provide assurances to researchers that vulnerabilities will be addressed and guarantee finders will not face legal action. Far from being a new idea, Netscape introduced the first program in 1995, seven years before companies including iDefense (now part of Verisign) developed a business model that paid hackers for finding vulnerabilities. Mozilla has paid bounties for Firefox vulnerabilities since 2004.
The rewards can be lucrative: a critical bug in Android pays $2,000 and adding functional exploits can add tens of thousands of dollars extra, while Microsoft pays $100,000 for bypasses to security protections and has paid out over $500,000 in rewards to date. Bug discovery often leads to speaking invitations and seriously boosts a researcher’s reputation. Apple is a noteworthy exception among vendors for not offering bounties.
Bounty programs aim to reduce the likelihood of a vulnerability being exploited maliciously; every legitimate disclosure reduces the opportunity for bad guys to find and abuse them. Program administrators argue that rewarding researchers means they are less likely to sell to the black market. Google even set up ‘Project Zero’, a team of expert researchers charged with discovering and disclosing high-impact vulnerabilities - even those in Google products!
Critics counter that bounty programs are nothing more than crowdsourced security that provides a cheap alternative to thorough pre-release testing rather than complementing SSDLC processes. They add that these programs do little to stop malicious hackers finding and exploiting vulnerabilities for gain.
Gauging the effectiveness of programs is difficult given the secrecy surrounding the disclosure and fixing process. However, HackerOne, a company that helps organizations manage bug bounty programs claims over 17,000 bugs were fixed and almost $6M paid out to 2,200 hackers by their customers alone. Professional researchers find many bugs during the course of their work and very few ‘hobbyist’ researchers make substantial sums of money. Besides, personal gain is not always the motivation for taking part.
Individuals can be motivated to do something by internal (‘intrinsic’) factors such as enjoyment and challenge, or external (‘extrinsic’) factors such as reward. Many researchers hunt bugs simply for the challenge and the desire to make software more secure. While a reward may be appealing in the short term, psychologists discovered intrinsic motivation could be diminished if rewards and recognition are introduced. Being paid to do something you love can affect your motivation for doing it, and unintentionally reduce the effort invested over time.
Do bounty programs stop researchers selling to the black market? It is unlikely. Researchers motivated by rewards are either willing to sell on the black market or have morals preventing them from doing so. Bounty programs are ideal for those looking to profit from their skills without over-stepping moral (and legal) boundaries. The rewards, albeit with risks attached, of selling to the black market far outweigh the money that can be earned from bug bounties.
The fact that vulnerabilities in code persist suggests organizations still have much to learn about SSDLC. Eliminating bugs prior to release is the most effective way to safeguard user security and avoids the reputational damage vendors face from insecure software.
It is far too simplistic for companies to set up bounty programs and expect that a few thousand dollars will be enough to motivate highly skilled individuals to dedicate their time to research. Starting a bug bounty program demonstrates a commitment to improving security and is the first step towards engaging a community, which is where the true value often lies for organizations. Engagement allows the best researchers to be identified and either recruited or tasked to carry out bespoke security consultancy. This is cheaper and far more effective than hiring head-hunters to find talent.
Any effort to legitimize, recognize, and where appropriate, reward vulnerability research should be applauded for the positive and largely unseen benefit it has for all internet users. However, despite the growing number of bounty programs there has been no noticeable decline in the number of exploits in circulation, suggesting black hats are still successfully finding and exploiting vulnerabilities. Hopefully this isn’t indicative of cost-cutting by vendors seeking to crowdsource security instead of bake it into the product from the start.