Modern field guide to security and privacy

Bounty programs could swat more bugs with better tools

Bug bounty programs to spot software flaws have been effective, but there are still bugs remaining. A new study suggests the best improvement to bounty programs could be focusing some attention somewhere else: Bug finding tools.

|
Al Behrman/AP
The American burying beetle.

There's no question that bug bounties – rewards offered for information about software flaws – have been useful in finding and fixing vulnerabilities affecting countless tech companies. 

In fact, Google announced in February that it was so happy with its "Pwnium" program to find bugs in the Chrome browser, it would expand the budget to "infinity million dollars." The success of bug bounties has even spawned a cottage industry of companies that run bounty programs. HackerOne, for example, operates bounty programs for Twitter and Yahoo. 

But even with the rewards that businesses are offering, many vulnerabilities still go unreported to firms whose software needs to be repaired. The problem is that interested third parties – both foreign and domestic government agencies and sometimes criminals – are willing to pay handsomely for the bugs to use for their own means. 

Companies offer bounties that range from mentions on a website or T-shirt or payment that's rarely more than a few thousand dollars. Facebook, for example, payed an average $1,788 per vulnerability last year. But corporate rewards are no match for open market values. Major vulnerabilities can sell for tens or hundreds of thousands of dollars. 

And as long as that shadowy market exists, the question is how to shift the balance of power in the vulnerability marketplace from people looking to purchase bugs they plan to exploit to people who plan to fix them. Or, in industry terms, how can we dry up the market for offense and expand the market for defense? 

The solution might be to create an entirely new marketplace. 

New research that will be presented next week at the RSA Conference on computer security in San Francisco says that bug bounty programs should be joined by tool bounty programs.

“If you talk to people in the offensive market, they don’t use tools,” says Katie Moussouris, chief policy officer of HackerOne, who coauthored the paper with Michael Siegel, principal research scientist at the MIT Sloan School of Management 

"They’re like Neo in 'The Matrix,' able to see the woman in the red dress right away," says Ms. Moussouris. "Improving tools benefits defense way more than offense."

Moussouris is putting her money where her mouth is. The Internet Bug Bounty Panel, a service supported by HackerOne that provides bounties for unfunded open source development, is starting to offer rewards for new tools, as well. The panel will even retroactively provide rewards for tools that have already been built. 

Some tools do exist. One called a fuzzer is a program designed to use random inputs to crash other systems. Then, an additional tool can be used to check if those bugs could cause security breaches. But, until now, there hasn't been much incentive to produce and publicize tools – other than the Internet equivalent of civic pride.

The research from Moussouris and Dr. Siegel shows that tools are more than just a viable option for improving defense without impacting offense. It also shows that the obvious solution to improving the defensive vulnerability market – outspending offense – may not work.

Last year, Dan Geer, the chief information security officer for the CIA-affiliated investment firm In-Q-Tel, argued that the US should pay hundreds of thousands of dollars for any vulnerability. That way, he said, it would cut off the nefarious use of the flaws. 

But one problem with that approach, says Moussouris, is that that kind of incentive program would encourage researchers to go after low hanging fruit – bugs in new, less-vetted products rather than what older, widely adopted ones. A second would be that it would encourage high turnover in software developers. Why stay at Apple, for instance, if your experience working with iOS could help you find millions of dollars in bugs?

The need for better bug-hunting tools is getting support within the security industry. 

"Publicly available tools are many years behind the state of the art," says Dan Kaminsky, chief scientist of the security firm White Ops, which is famous for finding a bug in the fundamental architecture of the Internet.

Mr. Kaminsky is a late convert to bounty programs – before the first ones succeeded, he was loudly against them. He worried that, without some level of quality control, companies would bankrupt themselves paying off people who found minor issues that didn't really rise to the level of threats.

Programs such as HackerOne and its competitor, Bugcrowd, saved the system by being able to competently evaluate which bugs were wastes of time, he says.

In fact, some see more promise in the Internet Bug Bounty Panel's formal recognition of useful tools than in legitimate bounty programs. 

“It occurred to me that, if IBB is funding tool research, it delineates where the most effective tools are,” says Tod Beardsley, the engineering manager of the Metasploit penetration testing tool the security firm Rapid7. "This gives a solid hand in guiding people to things that are legitimately new."

Mr. Beardsley acknowledges he is a little biased against paying for bugs – the Metasploit software is developed by fiercely loyal volunteers working for no rewards. If offering rewards for tools to discover bugs proves more effective than offering, well, nothing, he joked, “we’re out of a job.”

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Bounty programs could swat more bugs with better tools
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0417/Bounty-programs-could-swat-more-bugs-with-better-tools
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe