Bug Bounties and the Price of Security
In a recent article on the NSS Security blog, Stefan Frei discusses a potential standard for bug bounty programs and how it could help secure targeted applications and still be economically sound. Brian Krebs covered the article with his own thoughts via the Krebs On Security blog. We here at Malwarebytes thought we would weigh in on the topic as well.
Frei’s paper suggests a standard be set for all software companies to offer bug bounties at $150k per exploit found. This might encourage vulnerability researchers to look closer at certain applications and choose to get paid through legitimate means (i.e. the software vendor) rather than selling their discoveries to the underground cyber-crime community.
Paying $150k for bug bounties would help the industry because more professional vulnerability researchers would opt to go the white hat route, in addition to being able to properly claim your earnings to the government would probably be a nice perk compared to what they are used to (having to hide it).
The other side of the coin is that companies would most likely rather employ full-time vulnerability researchers, paying them a salary to find bugs in the software, rather than paying out $150k times however many bugs they have.
The NSS article describes using government intervention to police the software developers bug bounty programs, as it would be for the greater good. This might work for the bigger companies, however you can’t expect the same payout available from companies that don’t pull in nearly as much overhead as the bigger developers.
Application Security is Broken
A big problem with securing an application, especially a popular one, is that it is entirely customer driven and not sales driven.
Everyone is going to use Adobe Flash or Java or Windows, not necessarily because they don’t have a choice but because using anything else is either too expensive, too difficult for a novice user or the user is simply unaware of different options.
This means that said vulnerable applications are not only targeted greatly because of their widespread use but also completely unopposed in the market, which (in theory) means that they don’t have to update or patch because users will still use their products because they don’t have any competition.
If gas stations had vulnerabilities and Station A opened up across from Station B, it would be in the best interest for either station to completely patch and secure, so that customers will feel safe when using their goods, in the effort to bring in customers.
If Station A was the only station in town, they could charge and practice any way they want, because the customers wouldn’t have a choice in the matter.
A Possible Solution
A possible method of urging companies to do better bug hunting is to offer a federally approved industry seal for software that has been tested.
Users would have some idea of whether or not the software they are about to use is being checked-out by professional vulnerability researchers or not. This seal could be used to identify secure software for users in stores or even when weighing options for a corporate environment.
The use of bug bounties is a great complement to an internal bug review, employing a full-time bug hunter would be economically sound, however, another set of eyes and the possible boost from a PR standpoint would be beneficial to any large company.
You could also approach the benefits from a liability standpoint. Many banks are held liable for the loss of money from a robbery, an amusement park is liable for a ride that malfunctions and injures a guest. Why don’t we hold software developers to the same standard and when their product gets exploited, you can hold them liable for the data loss.
I am sure that if we held companies responsible for massive hacks, the cost of employing 10 bug hunters would still be less than what they would have to pay back to their customers.
Some experts says that software vulnerabilities are only a small piece of the puzzle, which I have to agree with, because social engineering and web attacks are also a massive part of the process.
At the end of the day, you can’t expect software developed for the purpose of watching videos to protect users from external threats to the operating system.
Therefore, using tools like antivirus scanners and knowledge about common hacking techniques (social engineering, etc.) is vital to protecting a user.