The idea that you might pay someone else to keep quiet a vulnerability while you fix it may seem a bit backward to some in computer security. It would also seem to invite attacks on infrastructure. It’s no surprise, then, that many companies with technological products don’t have bug bounties.
A bug bounty is a fee that is paid out whenever a hacker discovers a legitimate bug and co-ordinates with the company in order to recieve the fee rather than selling the exploit or announcing it to the world. It’s a technique that has come into the public spotlight by being implemented at such prestiegeous places as Facebook and Google.
But WHY? Why does it work?
For many hackers, the security vulnerability is the means and the end — that is, they hack in order to find a security vulnerability and once one is found, they know that the service is vulnerable. Some hackers inevitably choose to sell these or trade these in underground markets, but many wish to see them fixed (perhaps the hacker uses the service or understands the potential for damage should it be abused). Many will then attempt to contact the company and disclose the vulnerability. Should the company drag its feet or if the hacker is feeling particularly onery, the vulnerability will be publicly disclosed (typically referred to as a “grey hat” method of disclosure).
Having a bug bounty program lets computer security folks know:
- You understand security processes and the motives behind finding vulnerabilities
- That your company is dedicated to fixing the problem
- That you wont shoot the messenger or try to stifle them
- That they can earn more respect and money by working WITH you than AGAINST you
It’s a psychological change that can help garner you more security and more respect in the security community as an organization that is dedicated to secure software/hardware. That way you won’t end up with anonymous trying to wage Internet battle with your company.
Below is a list of bug bounties offered by various companies:
- http://en.wikipedia.org/wiki/Pwn2Own
- http://www.mozilla.org/security/bug-bounty-faq-webapp.html
- http://www.mozilla.org/security/bug-bounty-faq.html
- http://www.tarsnap.com/bugbounty.html
- http://www.facebook.com/whitehat/bounty/
- http://www.google.com/about/company/rewardprogram.html
- http://www.chromium.org/Home/chromium-security/vulnerability-rewards-program
In the end it’s easier to pony up cash for vulnerabilities and fix them before they become security headaches or,worse, go unnoticed for long periods of time while they are used in advanced attacks. Encourage the behavior you want to see in the security community by implementing a bounty program of your own. Companies like Facebook and Google have already handed out tens of thousands of dollars for their bug bounty programs at between $500 and $1337 dollars a pop.
Related Reading:
Discovering and proactively blocking malicious infrastructure
Flash of the obvious: you are responsible for protecting your data
Admiral Stavridis: Think, Read, Write and Publish, and Blog Too
The Navy’s Disconnected Refresh Strategy: Delivering Yesterday’s IT Tomorrow
SEC Guidance on disclosure obligations relating to cybersecurity risks and cyber incidents
