Bug bounties: Bad dog! Have a treat!

Bug bounty programs are probably very cost-effective for software vendors, but they reward bad behavior

By Kenneth van Wyk, Computerworld |  Security

I'm confident that companies with bug bounty programs have weighed these costs carefully. Having held off on a public program for so long, Microsoft seems likely to have put a great deal of consideration and justification into its decision. Of course, I don't have access to the actual factors that influenced these decisions, but it stands to reason that the cost structure is beneficial for the sponsoring companies.

Against bug bounties

Part of what makes me dislike bug bounty programs is the fact that they reward bad behavior. I can't help but think that the bug finders are in essence holding a metaphorical gun to the heads of the software companies by saying, "pay up or I'm going to publish this vulnerability to the world". Perhaps that explains Microsoft's reluctance till now to embrace bug bounties. Let me explain why I think bug bounty programs are a doggie treat for bad pooches.

Long ago and far away, I spent quite a bit of time working with software development organizations, reporting vulnerabilities and helping test and announce their mitigations. Back then, there was a strong movement toward full disclosure of software vulnerabilities. It was believed that reporting vulnerabilities to one's local computer security incident response team (CSIRT) was an effective form of responsible disclosure. The CSIRT acted as a middleman, oftentimes protecting the privacy of the original reporter as it helped coordinate and communicate with the software developer.

At some point, a few people started reporting vulnerabilities directly to the software development organization involved. But this still constituted responsible disclosure. In either scenario, disclosure of the vulnerability -- and, oftentimes, example exploit code -- was inevitable. Responsible disclosure drove both parties to agree on a timeline, with everyone recognizing that the vulnerability would eventually be published. Responsible disclosure rectified the bad blood that existed in the early days of vulnerability handling, when software vendors would threaten CSIRTs with lawsuits if they published vulnerability information. (I personally experienced this.)

But then that bad behavior I mentioned started to creep into the process. Some vulnerability reporters, frustrated by not getting a prompt response from the developer organization, would threaten to go public. The horrified software vendor would then agree to pay the reporter to keep the information private for a defined period of time.

Originally published on Computerworld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

Ask a Question