Vulnerabilities / Threats
4/28/2014
07:30 AM
Marisa Fagan
Marisa Fagan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Why Bug Bounties Are The New Normal

Bug bounties today are big business. Find out how crowdsourcing is changing the dynamics of independent security research and vulnerability disclosure.

What was once an infrequent arrangement practiced by well-intentioned white hat security researchers has become a market with norms that are being defined and enforced on a daily basis. In fact, vulnerability disclosure has become a lucrative career for determined independent researchers. The practice of "good faith effort" has gone from being the responsibility of the researcher to the obligation of the company.

Today, there is an expectation in the market for companies to be receptive to independent security research, and companies that react negatively are being portrayed as shortsighted and ineffective. In this newly evolving security research market, there are two drivers changing the old model.

The first is that researchers are expecting to be rewarded for their findings more frequently. Companies like Microsoft and Github are legitimizing the policies of Google and Facebook to pay for security vulnerabilities in a bug bounty program. (Facebook especially has seen a substantial increase in the rate of submissions.) Bringing this reward structure to the mainstream changes the expectation of security researchers in general.

The second driving change is a flood of inexperienced researchers joining the market to take advantage of the new economy. While, on the surface, this might seem like a negative change, experience shows us that this increase in numbers allows companies to tap into the powerful benefits of crowdsourcing. For relatively low costs, crowdsourced security testing produces better code coverage and realistic attack vectors.

These changes have created a new model in the disclosure market: "transactional disclosure." A transaction is a business arrangement where each side is equitably compensated in a simple, repeatable process. In the bug bounty market, a transaction is a monetary reward paid for submitting a security bug, and there are thousands of these transactions every year averaging small payouts of less than a few hundred dollars each.

More eyeballs & a new vocabulary
For experienced researchers disclosing serious, high-impact bugs, the process is well understood, but labor intensive. The expectation is that the effort to be rewarded will align with the reward. It usually involves a time-consuming process of revealing banking and tax information, along with other pieces of identity. In exchange for this effort, the reward is usually a large amount of money. With the coming generation of career bug bounty researchers making their money through higher volumes of lower-impact bugs worth less money, the effort on both sides is only worthwhile if the process for disclosure can be streamlined and efficient. 

Researchers expect communication and validation in a timely manner, and, as a result, a shorthand vocabulary has evolved: A submission is either a "valid bug" or an invalid submission. A “duplicate” is a valid bug that is either already known about from a previous submission, or it’s part of the original list of known bugs set in the terms of the policy. A bug can be valid, and still not be rewarded because it does not carry a high enough impact for the company to justify fixing it. These are examples of the sorts of predictable activities that are creating the basis for the CERT Division of the Software Engineering Institute's Vulnerability Disclosure Policy.

This army of eyeballs is changing the dynamic between the security team and the developers when they are handing off lists of vulnerabilities basically found in the wild. The crowd, with its volume, feels more like the public eye. With that comes the expectation that companies can commodify their responses in the same way researchers are commodifying their high volume of lower-impact bugs. It demonstrates that a vulnerability disclosure no longer lives in a vacuum, and when a researcher chooses to disclose, he or she brings to the table expectations shaped by every previous experience disclosing bugs to other companies.

The biggest sign that the model for vulnerability disclosure has changed is the emergence of new crowd-sourced security companies like Bugcrowd, where I work as a community manager for a crowd of over 8,000 security researchers. These third parties are streamlining the disclosure and payment process to the level of easy transactions. Researchers are able to use the same payment information across dozens of sites when testing for bugs, and are able to justify the effort more effectively. Plus, there is an added bonus of a layer of abstraction and anonymity between the researcher and the target company.

Bug bounties are becoming big business, and these crowdsourcing services are iterating the transactional model to make it as easy as possible to get as many bugs as possible out of the wild. Companies need to be aware that there is a new community of security researchers with evolving expectations about vulnerability disclosure. Those companies that do not stay in front of this trend may end up, not only with a breach on their hands, but with a lack of public sympathy as well. 

Marisa Fagan is the Community Manager for the crowd of more than 7,000 security researchers at Bugcrowd. She brings seven years of experience working with the information security research community to bridge the gap between companies and independent research. She's worked ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/29/2014 | 9:03:13 AM
Re: About time!
Marisa, 

How widely recognizd and adopted -- amoung bounty hunters -- is the CERT Software Engineering Institute's Vulnerability Disclosure Policy?
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/28/2014 | 7:10:46 PM
Re: About time!
In my professional opinion it appears that many of the large players in the market have adopted the pay for bug mentatility, Yahoo included.  I believe it was shortly after the Yahoo incident when the Microsoft and Facebook backed HackerOne site was launched to create a central location for bug bounties.  

Obviously there are still hold outs to the new norm but I would say they are now a minority.  Moving forward any large companies that refuse to pay for bugs may find themselves on wrong side of a vulnerability.
dumbledin
100%
0%
dumbledin,
User Rank: Apprentice
4/28/2014 | 5:36:22 PM
Re: About time!
yes!! Yahoo pays me on HackerOne have received $15000 to date. can't use bugcrowd for bounties there. very happy of hackerone team for bounties and hackers :)
MarisaFagan
100%
0%
MarisaFagan,
User Rank: Author
4/28/2014 | 4:07:07 PM
Re: About time!
Robert, Yahoo is a fantastic example of this growing trend towards paying external researchers. 6 months after the Yahoo "Tshirt-gate" media coverage, their security team is now paying out a minimum $250 bounty for bugs that demonstrate a security impact. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:17:49 PM
Re: About time!
Robert, do you think the security industry recognize and understands the new role bug bounties play in vulnerability management? Or are most of them still in a T-shirt mentality?
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/28/2014 | 2:37:20 PM
About time!
As this article points out, bug bounty programs are not a nicety but rather they are necessary.  For example, just last year a security firm reported four separate XSS vulnerabilities to Yahoo and their reward, a tee-shirt.  The moral of the story, if the security researcher is not properly compensated for their work then they may sell the information to someone who is more generous. 

Link to Yahoo story
More Blogs from Commentary
Ram Scraper Malware: Why PCI DSS Can't Fix Retail
There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data
Dark Reading Radio: The Winners & Losers of Botnet Takedowns
Our guests are Cheri McGuire, VP of global government affairs and cyber security policy for Symantec, and Craig D. Spiezle, executive director and founder of the Online Trust Alliance.
Infographic: With BYOD, Mobile Is The New Desktop
Security teams have no choice but to embrace the rapid proliferation of BYO devices, apps, and cloud services. To ignore it is to put your head in the sand.
Internet of Things: Security For A World Of Ubiquitous Computing
Endpoint security is hardly dead, and claiming that it is oversimplifies the challenges corporations face now and in the not-very-distant future.
CEO Report Card: Low Grades for Risk Management
Dark Reading's latest community poll shows a stunning lack of confidence in chief execs' commitment to cyber security.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.