Bug bounties have good intentions but in a world where cyber warfare is a reality, it can lead to complex consequences were ethics and espionage come into play. When private companies compete to outbid each other’s bounties, it can create a dangerous playing ground that could potentially put million’s of users sensitive information at risk.
Bug bounties or disclosure programs have been crafted by websites, software developers or a variety of other companies whose products incorporate specific critical technologies. Since developers are often outwitted by cyber criminals, many developers now offer recognition and compensation to those who find and report bugs pertaining to exploits and vulnerabilities.
Zero-day vulnerabilities are most sought after in these disclosure programs. Zero-day vulnerabilities are flaws that are unknown to the rest of the world, including vulnerabilities that not even the products’ developers are aware of. Zero-days tend to gather the highest bounty as the consequences of leaving these kind of exploits unpatched can be very severe. Bounty programs allow the developers the time to resolve bugs before the general public is aware of them in an effort to prevent security incidents from becoming widespread. It has become a necessary component of providing security solutions in a fast, effective and fair way.
It is not the bounty alone that these ethical hackers are after. The public acknowledgement and publicity that comes with discovering a security vulnerability may be worth much more. Here’s a list of 164 major companies with bug bounty or disclosure programs in place.
A Question of Ethics
Crowd-sourcing security in this way has been utilized by car companies and airlines alike to find critical flaws. Companies like Microsoft, Dropbox, Google, Pinterest and Twitter have all held bug bounty programs. It’s typically large companies that can afford to hold bug bounties, as the payout is more cost effective than the cost of public embarrassment or clean-up that would be needed in the event of data breach or hacking. While these programs are increasingly common, it’s Apple’s latest program that has resulted in some controversy and should be of concern.
In August, Apple announced it would pay a $200,000 bounty to anyone who discovers and reports on security vulnerabilities in its products. The question of ethics arises when almost immediately after Apple’s announcement, Exodus Intelligence announced it would pay more than twice as much for the same Apple vulnerabilities. As part as Exodus’ “research sponsorship program” they will then charge other companies a subscription fee for intelligence about these software weaknesses.
The price of a bounty is usually determined by the the exploit-ability factor of the vulnerability. Attacks typically exploit vulnerabilities that have patches available but have not yet been applied. While each company operates off of their own standards, Microsoft uses two tools to communicate the severity associated with their known vulnerabilities.
- Microsoft Exploit-ability Index: Details in levels the likelihood that a vulnerability addressed in their security updates will be exploited.
- Microsoft Security Response Center Bulletin: Assumes that an exploitation would be successful.
Zero-day flaws almost always sell for higher sums to brokers that resell them for espionage than the manufactures looking to repair them. It creates a landscape where exploit extortion takes place, while user’s data is at risk of being compromised. Seemingly well-intended bounty programs are opening up their vulnerabilities to be used as a weapon.
Earlier this year, the FBI pad almost $1 million for a zero-day vulnerability that allowed them to crack the password on the iPhone belonging to one of the alleged San Bernardino shooters. “Zero days are sold on a number of markets, including in the white market bug bounty programs offered by software makers, the black market that sells to criminal hackers, and the gray market, where brokers and others sell to governments and intelligence agencies.”
Things to Consider
While offering bug bounties may be more cost effective than hiring in-house security researchers, it involves trust, ethics and corporate responsibility among all parties involved. Some companies (like Apple) make participation in their programs accessible via invite only. Programs that are opened publicly benefit from more eyes, but may suffer from slow response process due to excessively high submission rates.
Bug bounty programs were developed and continue because they are effective. When crystal clear guidelines are put into place (and followed) it should be a quick and efficient way for ethical hackers to safely report vulnerabilities. While there is certainly logic behind these programs, allowing hackers access to software mixed with competition outbidding each other for security solutions could result in dangerous consequences.
(image via flickr/Jeremy Schultz)