Bug Bounty Programs
Recently, companies have been offering money for the responsible disclosure of security vulnerabilities. Google and Facebook led the way and others are starting to follow suit. According to Wired, the programs have been successful but some are criticizing companies who don't have bug bounty programs.
But some of the biggest vendors, who might be expected to have bounty programs, don't. Microsoft, Adobe and Apple are just three software makers who have been criticized for not paying independent researchers for bugs they have found, even though the companies benefit greatly from the free work done by those who uncover and disclose security vulnerabilities.
Criticizing a company because they don't pay people who report security bugs is weak. Some companies have created a culture of responsible disclosure, while others haven't.
In the same article, Chris Evans of Google:
You do want to have a decent-size security team before you undertake [a bug bounty program], and you do want to make sure that you're fairly confident your products meet a reasonable level of robustness. Obviously you need a pretty large security team to be able to sort of absorb that increase in load.
Microsoft, Adobe, and Apple may not be currently positioned to have a bug bounty program. Their products may not be as securely robust as they want or their security teams may not be ready to absorb the load.
Companies who offer bug bounty programs are awesome. The companies create financial incentives to those who would do the security research even without the money. But, the largest benefit of a bug bounty program is allowing researchers a clear path to disclose vulnerabilities.
Reporting vulnerabilities can be legally and professionally risky. When a researcher discloses the vulnerability to the vendor, there is no "whistle blower" protection and independent security researchers may be unable to legally defend themselves. You may get threatened, sued, or even thrown in jail. A number of security researchers have had their employers pressured by vendors to whom they were responsibly disclosing security vulnerabilities. Vendors expect security researchers to follow responsible disclosure guidelines when they volunteer vulnerabilities, but they are under no such pressure to follow responsible guidelines in their actions towards security researchers. Where are the vendors' security research amnesty agreements?
A bug bounty program gives security researchers this amnesty agreement. The company is promising not to prosecute. The money is nice, but the promise of not going to jail is nicer. The Wired article points to an investment firm who attempted to prosecute someone who disclosed a vulnerability.
Webster wrote a script to download about 500 account statements to prove to First State that its account holders were at risk. But First State wasn't grateful. The company reported him to police, then demanded access to his computer to make sure he'd deleted all of the statements he had downloaded.
A company telling researchers they won't prosecute is huge. The money isn't important. If you did any of the following would you expect to get paid?
- Returning a wallet.
- Helping a lost child find their parents.
- Putting money in an expired parking meter
If you did any of these things, it would benefit the receiving party greatly. But, you wouldn't expect to get paid. You would do it because it's the right thing to do. If you did one of these things, out of kindness, you also wouldn't expect to go to jail for it.
Even if companies aren't paying researchers to disclose vulnerabilities, they should have a amnesty agreement in place publicly for security researchers.
Written: November 28, 2012