Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

07:11 AM

Better Bug Bounties Mean Safer Software, More Research Demand

Companies should expect safer software as more companies adopt bug bounty programs and studies prove their effectiveness

The addition of new bug bounty programs and research showing their effectiveness will improve software security, raise the awareness of the importance of secure development, and create a more mature market for freelance security research, say vulnerabilities experts.

In June, Microsoft announced its own limited vulnerability rewards program (VRP), designed to find bugs in its operating system and browser software before they are shipped. The company pays $100,000 for novel means of bypassing security measures in Windows 8.1, and $11,000 for critical bugs in the preview version of Internet Explorer 11.

Microsoft's adoption of a bug bounty program and research from the University of California at Berkeley showing such programs are more cost-effective than internal researchers should drive other software companies to both adopt their own programs and deliver more secure software, says Michael Coates, director of security assurance for Mozilla.

"I think the biggest trend we will see is any new company adding a bug bounty program will see an initial spike of vulnerability submissions, as developers dive into the internals of the program," he says. "Then you will see a tailing off, but there will be a constant rate of vulnerabilities being submitted over time, as the program evolves."

While more bug reports mean more patching and more work for enterprise IT security teams, as the programs mature any deluge of vulnerabilities will settle down to a trickle, says Brian Gorenc, manager of the Zero Day Initiative at HP Security Research.

"For the end user, it's a positive thing that vulnerabilities that are on the market now are being taken off the market and fixed, stopping the weaponization of those bugs," Gorenc says.

HP's Zero-Day Initiative has 125 vulnerabilities in the pipeline -- reported to ZDI, but not yet patched -- a 25 percent increase over the previous year. In addition, the company's third-party program has accounted for nearly half of all Microsoft flaws patched in the past year, he says.

With more money being paid for vulnerabilities, more researchers will likely join the part-time ranks of bug hunters. Interest in finding vulnerabilities has surged: In the past week, for example, five new researchers have submitted bugs to ZDI, Gorenc says. The increase in the number of bug bounty programs and higher rewards has led to an increase in the number of participants, he says.

[Microsoft officially kicks off a newly announced, game-changing three-part bug bounty program. See Microsoft's Big Bucks For Bugs Ups The Ante.]

Along with Microsoft's move to a vulnerability reward program, three Berkeley researchers found that such programs are cost-effective compared to internal researchers.

Three researchers from the University of California at Berkeley studied both Google's vulnerability reward program (VRP) for Chrome and Mozilla's bounty program for finding bugs in Firefox. Both programs had similar costs to the companies, with Google's program costing the company $485 per day and Mozilla's program costing the organization $658 per day.

"The cost of either of these VRPs is comparable to the cost of just one member of the browser security team," the researchers stated. "On the other hand, the benefit of a VRP far outweighs that of a single security researcher because each of these VRPs finds many more vulnerabilities than any one researcher is likely to be able to find."

Google's tiered structure for bounties -- paying a set fee for most vulnerabilities, but with higher payouts for clever discoveries -- is more effective, the researchers found. Google raised the rewards it pays for vulnerabilities earlier this year because researchers were having a harder time finding issues, the company said.

"This makes sense with an understanding of incentives in lotteries: The larger the potential prize amount, the more willing participants are to accept a lower expected return, which, for VRPs, means the program can expect more participants," they wrote.

While the effectiveness of bug bounty programs could result in software companies backing away from the hard work of developing and maintaining a secure development life cycle for their software products, it's unlikely to do so, Mozilla's Coates says.

"If a company had simply adopted a bug bounty program without doing the fundamental ground work of secure development, it would not be a good strategy for identifying security flaws," he says. "Without a secure foundation, a bug bounty program on its own is just attacking the problem in the wrong way."

CORRECTION: The original article misstated how quickly new researchers had joined ZDI's program. Five new researchers have joined in the last week to submit bug reports, according to the Hewlett-Packard business unit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.