Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Black Hat 2013: Responsible Disclosure on Increase through Bug Bounty Program

Photo credit: All rights reserved by Black Hat Events
Photo credit: All rights reserved by Black Hat Events

Today at Black Hat in Las Vegas, Gorenc told Infosecurity that to date this year, 200 vulnerabilities have been discovered, purchased and patched through the HP ZDI bounty program. A further 120 have been verified, purchased and submitted to vendor. This is a 20% increase on 2012 figures.

“This is a result of the rise in people looking for security vulnerabilities”, he said, explaining the increase.

Internet Explorer and Java remain the most frequent source of vulnerability, whilst Adobe – since the launch of its sandbox – has fallen behind.

The HP ZDI program focusses on critical software vulnerabilities, including SCADA and all software deployed on a mass scale.

Cases can be submitted by researchers via the HP web portal, where they are subject to root cause analysis, validity is determined, and exploitability is analyzed. If the vulnerability is proven to be valid, a financial offer will be made.

“We watch the market to determine the worth of bugs and we offer really fair prices. HP is very generous with its bounty program”, said Gorenc. Whilst there is always the chance that researchers could look elsewhere for a higher financial incentive, including the black market, Gorenc is confident that most researchers are driven by “security and the desire to make a difference. We also handle the responsible disclosure for them”, he says.

In response to concern that bounty programs encourage the detection of vulnerabilities which can be used on the black market, Gorenc determines that “researchers will look for bugs anyway. Financial compensation helps. Some will submit multiple bugs and make a living from this program alone.”

Once HP submits a vulnerability to a vendor, the vendor is given 180 days to respond and fix, otherwise “HP will tell the market”. More than 90% respond within this timeframe, Gorenc says.

Whilst Gorenc confirms that HP’s main focus and objective is responsible disclosure for the good of the industry, he also acknowledges that there is a value proposition for HP: “We’re getting the intelligence and research and are able to deploy it through our TippingPoint software”, he concluded.


What’s Hot on Infosecurity Magazine?