Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
01:00 PM
Oleg Brodt
Oleg Brodt
Connect Directly
E-Mail vvv

Bug Bounties and the Cobra Effect

Are bug bounty programs allowing software companies to skirt their responsibility to make better, more secure products from the get-go?

During British rule in India in the second half of the 19th century, the British were concerned about the abundance of venomous cobra snakes across Delhi. To mitigate the threat, the British government started offering bounties for every dead cobra snake that hunters turned in. 

As expected, the bounty program was a success, as dead cobras started pouring in. Soon enough, more volunteers joined the effort, and it seemed that cleaning Delhi out of deadly snakes was a matter of time. Nevertheless, as months went by, the pace of beheaded-snake deliveries did not decline. On the contrary: Unlike as the government anticipated, it increased. 

Related Content:

Beware the Bug Bounty

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Best 11 Quotes From Cryptographers Panel

Authorities started to investigate. To their surprise, Delhi was full of cobra breeding farms. Once the street snake population started to decline, it was much harder for the hunters to keep up with their bounty rewards. Instead, the locals set up snake breeding farms and now had an unlimited supply of dead cobras, yielding a constant income of reward money.  

Once the authorities realized their original intentions backfired, they shut the program down in disappointment. But the breeders — now stuck with worthless cobras — released the snakes free, yielding an even larger population of venomous animals wandering the streets. In other words, the program contributed to an increase — rather than a decrease — in the number of wild snakes, at taxpayers' expense. Consequently, the phenomenon of achieving opposite results from the original goal was dubbed the "cobra effect." 

What the Cobra Effect Has to Do With Bug Bounties
This anecdote can teach us a valuable lesson about cybersecurity bug bounty programs. Most of them offer monetary compensation, corporate swag, and leaderboard "glory" to bug hunters who disclose cybersecurity vulnerabilities. Despite good intentions, an entire ecosystem of bug bounty hunting has emerged. There are now specialized courses, trainings, books, conferences, and program management companies dedicated to bug bounties. It seems bug hunting became an industry of its own — almost none of which existed a decade ago — with a growing army of bug hunters.

Unlike cobras, vulnerabilities cannot be "bred." Therefore, at least theoretically, at some point, the bug hunters should dry out the swamp of vulnerabilities. Nonetheless, in practice, it is rather convenient for software vendors to transfer the liability of eliminating vulnerabilities in their products to bug hunters, who are much cheaper than maintaining dedicated security personnel.

You see, there are two main ways to tackle software vulnerabilities. You can either prevent them with extensive secure-by-design development, code testing, static and dynamic analysis, and fuzzing, or you can detect them by looking for vulnerabilities after the code is in production. Hopefully, you are doing both. However, while secure-by-design coding entails hiring experienced security personnel, properly training developers, and delaying release cycles to finish security testing, bug hunting is much cheaper. Vendors can just delegate their bug-finding responsibilities to an army of freelancers and, instead of paying salaries, pay for success.

In other words, in a world without bug hunters, companies must invest more in better coding practices and bear more responsibility for their products' security in the first place, before the product hits the market. The cobra effect in cybersecurity bug bounty programs allows vendors to run away from their responsibility to make better, more secure products from the get-go, solve the problem at its source, or at least try.

Carrots or Sticks?
Indeed, there is room for bug bounty programs. However, as time goes by, it's become clearer that bug bounties are not a magical solution to a difficult problem. We must make sure that we set the right incentives for them to work as intended.

We must give carrots to companies that take security seriously by providing them with legal "safe harbor" provisions that protect them from cybersecurity-related civil litigation. If they work to protect society, society should pay them back in the same coin. To be eligible for legal protection, they must, at a minimum, demonstrate that all their software developers are properly trained to write secure code; their code complies with secure development standards; they bake security into the products from the start; and they take their vulnerability disclosure policy seriously by fixing bugs within a predefined time frame. Obviously, such bug disclosures can be done by bug hunters, but bug bounties should be a small part of the overall solution.

Conversely, companies that don't take society's security seriously must get the stick. They should not be eligible for any legal protection if they are sued for lousy security. Affording whistleblower protection for security researchers is important since some companies threaten researchers who find vulnerabilities in their products with legal action.

Let's try to solve the vulnerabilities problem at its source. It will never be perfect, but we should try, nonetheless. In most developed countries, we get clean water to our homes. It has been sanitized and filtered by the water companies and authorities. The situation is quite different in third-world countries. People who are lucky enough to get water to their homes must filter it themselves. For society as a whole, central filtration is cheaper, more effective, and less time consuming. The societal benefit of cybersecurity is the same. Let's shift the focus to cleaning vulnerabilities at the source, rather than shipping out insecure software while counting on bug hunters to solve the problem.

Indeed, we have made positive progress since the days of Charlie Miller and the "no more free bugs" movement, and bug bounties programs reinforced cybersecurity for a while. But it's time to rethink the balances they create and make sure we are on the right path. After all, our goal is to make security better — not to create more cobra effects.

Oleg serves as the R&D Director of Deutsche Telekom Innovation Labs, Israel. He also serves as the Chief Innovation Officer for [email protected] University, an umbrella organization responsible for cybersecurity-related research at Ben Gurion University, Israel. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...