Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Joys of Running a Bug Bounty Program

Posted by timothy on from the do-you-guys-buy-moths-as-well-as-caterpillars? dept.

Trailrunner7 writes "When Barracuda Networks started its bug bounty program about three months ago, company officials weren't exactly sure what to expect. They didn't know whether there'd be an onslaught of submissions or the sound of crickets chirping. The reality turned out to be somewhere in the middle. Overall, the company has been getting about 10 bug reports a month, none of which has been very serious. But that doesn't mean the program hasn't been a success. Peck said that Barracuda also had run into the same problem that Google and others have: hackers don't pay much attention to directions. The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site."

52 comments

  1. Hackers and directions by MrEricSir · · Score: 2

    Hell, I could have told you that hackers don't read directions.

    But would you have read my advice?

    --
    There's no -1 for "I don't get it."
    1. Re:Hackers and directions by RavenChild · · Score: 1

      Hackers are hackers because they don't follow directions. Using something as intended goes against hacking's very essence.

    2. Re:Hackers and directions by symbolset · · Score: 2

      If you give web designers a place to submit bug reports on your website, even if it's not exactly topical, they'll use it. Some web designs are truly unfortunate. If HP published the physical location of their web design teams they'd probably have to enroll them in something similar to a witness protection program.

      --
      Help stamp out iliturcy.
    3. Re:Hackers and directions by Anonymous Coward · · Score: 0

      Then not paying them as expected should suit them nicely.

      The whole "hackers don't play by the rules" doesn't wash with me. Part of hacking is a feel for *which* rules to bend or break...

    4. Re:Hackers and directions by Anonymous Coward · · Score: 2, Funny

      Wait, this was covered in Dilbert years ago.
      The pointy-haired boss announced there would be bonuses based on bugs found.

      Wally shouted "woo hoo, I'm writing myself a minivan today"

  2. What? by valkabo · · Score: 1, Interesting

    Hackers are excellent at following directions. They are just also excellent at seeing where the directions are flawed and exploiting them. What.. you think steve the hacker is finding holes in your software by guessing? No. He uses the program like it is suppose to be used and then tracks down the issues he is looking to exploit. You can't break a rule if you don't totally understand it.

    1. Re:What? by Anonymous Coward · · Score: 0

      Methinks you don't have much of a history either hacking or reverse engineering. Guessing is usually half the job.

      OT: last week when trying to crack some program's behavior I was stepping through 200 pages of assembly, looking for the magical branch instruction; somehow I immediately pinpointed it absent any contextual information whatsoever. I was stumped. // end of trivial example

    2. Re:What? by sortius_nod · · Score: 2

      I'm thinking you don't either by saying that it's "guessing".

      An informed guess is different to a blind guess, and to be quite frank, blind guesses don't generally find exploits or bugs.

      That said, running in and guessing isn't what you do when you want to break a system, generally you need to know how the system works, or know enough to be able to theorise what might break it. It has nothing to do with guessing.

    3. Re:What? by Anonymous Coward · · Score: 0

      An informed guess is still a guess. You're simply arguing semantics by stating the obvious.

    4. Re:What? by totally+bogus+dude · · Score: 1

      OT, but congrats... your post is currently scored at -1, Insightful.

      A far cry from the coveted +5 Troll but still pretty cool!

    5. Re:What? by TimHunter · · Score: 1

      You can't break a rule if you don't totally understand it.

      Uh, what? Frequently you break a rule because you don't understand it.

      Just for example, suppose I tried to upgrade the electrical wiring in my house without understanding the electrical system building code. The building inspector won't approve my changes because I broke the rules about electrical wiring.

    6. Re:What? by Anonymous Coward · · Score: 0

      You can't break a rule if you don't totally understand it.

      Explain these guys: http://en.wikipedia.org/wiki/Script_kiddie

  3. Pay up if they fix the "out of bounds" issues by PatPending · · Score: 2

    The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site."

    If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

    --
    What one fool can do, another can. (Ancient Simian Proverb)
    1. Re:Pay up if they fix the "out of bounds" issues by Wrath0fb0b · · Score: 4, Insightful

      If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

      If I ask a contractor to assess my foundation and he tells me that my water heater is busted, do I owe him money if I later replace the heater? There was an explicit deal regarding which flaws qualify for bounties and which do not. If someone submits one contrary to an honest reading of those terms, they are owed nothing.

    2. Re:Pay up if they fix the "out of bounds" issues by scdeimos · · Score: 1

      There are still "good citizens" out there that will report bugs without an expectation of payment.

      One of our applications files cases for exceptions through FogBugz, giving users the opportunity to add their own comments before submission. We know some users just click Cancel (thus not reporting an issue) but maybe 10% of submissions have a comment and about 10% of those say anything meaningful to help us replicate the bug. I don't recall anybody asking for money before telling us what they did to break it.

    3. Re:Pay up if they fix the "out of bounds" issues by Anonymous Coward · · Score: 0

      If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

      Well, since one of the examples was not their products, I'd just suggest they pass it on, or pass it on ourselves, with a thank you note. The website itself...maybe a coupon for something with the thank you note. Heck, coupons in general. Always a way to show how magnanimous you are.

    4. Re:Pay up if they fix the "out of bounds" issues by Voyager529 · · Score: 2

      That depends. You're right if you're asking him to limit his assessment to the foundation, however, if he sees that the water heater is set to burst in such a manner that when it does break that it will damage the foundation, then yes, I'd say you're still on the hook. At the end of the day, a risk to the foundation was found. If you're limiting the risk to only those which have already manifested, then yes the case could be argued, but you'd be a fool to not consider it an assessment within the scope of the question. There's a difference between that (finding a secondary answer to the question being asked) and simply saying that the heater is broken so your water won't be hot. I'd say that the former should still count, while the latter should not.

    5. Re:Pay up if they fix the "out of bounds" issues by noidentity · · Score: 1

      The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site.

      Who would complain that people are submitting more bug reports than asked for?!? They're getting reports for their website, without any need to pay a bounty. The problem with this is? Even bug reports of a competitor's product are useful in letting them know what areas are important to customers.

    6. Re:Pay up if they fix the "out of bounds" issues by kaiser423 · · Score: 2

      If it saved you money and/or fixed a problem; aka his service reaped unexpected obunties, I would think that the respectful thing to do would be to pay him. But then again, I do actually want people to tell me when other things outside of scope are wrong, because, you know, that's helpful and worth something.

    7. Re:Pay up if they fix the "out of bounds" issues by hedwards · · Score: 1

      That's partially because we're used to bug reports that go somewhere, and we have absolutely no clue as to what exactly is done with the information. And often times we're not told what information is being sent anyways. I don't know what things are like where you're working, but I do know that a lot of people aren't going to trust random strangers. Which in a sense is odd, given that there's enough trust to run the program, but there you go.

    8. Re:Pay up if they fix the "out of bounds" issues by JWSmythe · · Score: 2

          Actually, it's much different than that.

          It would be like you hired a contractor to assess the foundation of your house (your application), and instead he tells you about problems the front door on the adjoining house (your website), or about the foundation of houses in another state (competitors applications). Only an idiot would pay for such a report.

          If (and only if) they asked for a comprehensive evaluation of the security of their company, would the web site be included in it, unless the web site is essential to the operation of their application. If they intended to get paid for the work, they shouldn't have reported it through the bug tracking system. It could have been reported independently. I didn't read far enough to see if the bugs were really security bugs, or if they were simply rendering errors.

      --
      Serious? Seriousness is well above my pay grade.
    9. Re:Pay up if they fix the "out of bounds" issues by SharpFang · · Score: 3

      Actually, they are owed gratitude and what little courtesy demands. You have no contractual obligation to reward them, but in all fairness, if they discovered an error you didn't know about, where you didn't expect it, they deserve some kind of gratitude.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    10. Re:Pay up if they fix the "out of bounds" issues by TubeSteak · · Score: 3, Funny

      Water heaters aside, I think you'd be wise not to piss of people who have shown they can find holes in your product &/or corporate website, regardless of their ability to follow directions.

      --
      [Fuck Beta]
      o0t!
    11. Re:Pay up if they fix the "out of bounds" issues by scdeimos · · Score: 1

      Yes it is rather strange, isn't it (trusting you enough to run your application but not enough to log error reports)?

      We go to a great detail of trouble showing the user what information will be logged (given that this is running inside the application's exception handler we have to be very careful about triggering more exceptions) so that users can make an informed decision about the Ok/Cancel buttons on the exception dialog. Still, we occasionally get users (staff or customers) that complain to us through other channels (phone/email) about problems that they've been having and then have to fess-up that they've never bothered to log an exception report.

      Sometimes they've been experiencing the problem for months and we could have fixed it in a couple of minutes and had it out in the wild a couple of releases ago. Maybe we should take a leaf out of Sony/BMG's book and just do it without their consent. (jk)

    12. Re:Pay up if they fix the "out of bounds" issues by blackest_k · · Score: 1

      It's generally really difficult to get through to anyone who could actually get a bug fixed.

      the sales contacts won't be able to do anything
      dave from bangalore can't deviate from his scripts and will not pass anything back to the engineers on the other side of the world. so who , where?

      so given the opportunity to pass bug reports back to a company, why not pass your bug information to them. it's not like there is an alternative point of contact available for these other bugs.

      What is really crazy is that the corporate mind thinks this is people wanting to get paid for fixing unrelated bugs it isn't. It's people wanting bugs fixed even if it is a bug in the partners software at least corporation a has a line of communication to corporation b and hopefully the bug can be resolved to the benefit of both corporations and their customers.

      At least with open source software you can submit a bug about anything and hope to see it get fixed or find work arounds or updates or if needs be fix it yourself (it is always going to be easier for someone who has worked on the code base to find the error fix it and submit a patch).

      --
      Blarney Quality Restaurant, Plants
    13. Re:Pay up if they fix the "out of bounds" issues by bWareiWare.co.uk · · Score: 1

      The question about what is under the contract is only part of the issue. If an unsolicited observation saves you money (i.e. you wouldn't have noticed yourself and you were able to take preventative action) it would make sound economic sense to express your gratitude.

    14. Re:Pay up if they fix the "out of bounds" issues by Anonymous Coward · · Score: 0

      If I ask a contractor to assess my foundation and he tells me that my water heater is busted, do I owe him money if I later replace the heater? ...

      Technically you don't owe him anything but it's good manners at least to say thanks and/or recommend such honest contractor to your friends. Money is good incentive but most hackers don't do their research for it. They usually do it for other reasons like gaining knowledge and recognition. A little example would be Geohotz vs Sony on his PS3 hack.

    15. Re:Pay up if they fix the "out of bounds" issues by Abstrackt · · Score: 1

      The question about what is under the contract is only part of the issue. If an unsolicited observation saves you money (i.e. you wouldn't have noticed yourself and you were able to take preventative action) it would make sound economic sense to express your gratitude.

      Interesting point. One thing isn't clear to me though, and I'm honestly curious, what constitutes an acceptable gesture of gratitude? Is a company required to express their gratitude towards someone's observation with money? Or is it enough to give them a personalized "thank you" in an email, offer them a free copy of future versions of the software or simply give them some public recognition?

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
  4. Barracuda by American+AC+in+Paris · · Score: 4, Funny

    ...does "your messaging client is such a kludge that I would frankly rather try use an actual elongated carnivorous fish to IM with my co-workers" count as a bug?

    --

    Obliteracy: Words with explosions

    1. Re:Barracuda by Jerf · · Score: 1

      I was the team lead on that product for a long time. It's based on a standard XMPP server. Use any standard XMPP client you like, if your administrator lets you install it. (If not, well... I can't really solve that problem.) The shipped client has deliberately been simplified for non-power users, as a result of a lot of feedback from such people. For example, XMPP's resource handling confuses most people, so it has been hard-coded in the client. If you're a power user you should definitely use Pidgin or Trillian or something.

  5. Huh. Really? by Octopuscabbage · · Score: 0

    So people who do things against the law do not like to follow rules? Really?

    1. Re:Huh. Really? by Anonymous Coward · · Score: 0

      I see you're one of these people that think anyone called a "hacker" must automatically be a criminal.

    2. Re:Huh. Really? by hedwards · · Score: 1

      Let me guess, you work at Microsoft, don't you?

  6. Puny bounties by Animats · · Score: 3, Funny

    There was once a real-time OS company that gave you a Bug, a Volkswagen Beetle, if you found a bug in their OS. They gave away about two cars a year, and it was worth it.

    1. Re:Puny bounties by hedwards · · Score: 1

      That's always a problem, there's a balance, you can't give away something that expensive for every bug no matter how tiny. But you also do have to compensate researchers enough to make it worth their while for more important bugs.

    2. Re:Puny bounties by syousef · · Score: 1

      That's always a problem, there's a balance, you can't give away something that expensive for every bug no matter how tiny. But you also do have to compensate researchers enough to make it worth their while for more important bugs.

      So only guarantee small bounties, but then generously offer disgressionary rewards for important bugs then use the publicity when you do give away something of value to get more researchers interested. Still cheaper than highering a traditional test team.

      --
      These posts express my own personal views, not those of my employer
    3. Re:Puny bounties by im_thatoneguy · · Score: 1

      There was once a real-time OS company that gave you a Bug, a Volkswagen Beetle, if you found a bug in their OS.

      The latest generation of VW Bug? Why not just knock them over the head and steal their children? Why on earth would anyone submit a bug if there was a chance they might have to drive a VW Beetle?

  7. How to ask questions/report bugs intelligently. by Anonymous Coward · · Score: 0

    People have forgotten how to ask questions intelligently (reporting bugs involves the same sort of etiquette/thinking). Actually, they never really learn how to in the first place.

  8. Not Just Hackers by Bieeanda · · Score: 4, Insightful

    I hate to break it this way, but most people don't have the QA skills of a goldfish. Most of them, even given guidelines, walkthroughs, or even formal instruction on how to write a bug report, would rather just drop a single, unhelpful line and get back to waiting for a cheque.

    1. Re:Not Just Hackers by Anonymous Coward · · Score: 0

      I have to agree with you there. We had one guy QA our web app and we started seeing bug reports pop up for adobe.com and no we aren't adobe.com. When we questioned him about it his response was something along the lines of "oh that's not our website?". After that I told my PM I couldn't work with him anymore.

  9. Heh . . by 228e2 · · Score: 1

    I remembered finding a bug in their bug submission portal . . . it was right of me to never submit it, right?

    --
    Since when does being a Socialist mean 'someone who has a different opinion than me'?
    1. Re:Heh . . by SharpFang · · Score: 1

      Depends what it was concerning. Same problem as running fsck from a corrupted filesystem: you have no warranty fsck itself is not corrupted and won't corrupt the filesystem further.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  10. Legal vs ethical. by khasim · · Score: 1

    If I ask a contractor to assess my foundation and he tells me that my water heater is busted, do I owe him money if I later replace the heater?

    Legally, that would depend upon the specific wording of the contract you signed with him.

    Ethically, if he found a flaw that you did not know about and told you about it in a manner that allowed you to save money by fixing it before it got worse, then yes, you do owe him.

  11. the catch by Anonymous Coward · · Score: 0

    What they don't mention is that researchers aren't allowed to demonstrate vulnerabilities using Barracuda's demo website. You might have found a flaw but you'll have to buy the damn app to get a bounty on it. There's no excuse for this; it's nigh-impossible to accidentally harm a website with XSS or CSRF. Google and Mozilla say 'no DoS' and leave it at that.

    Also, since when was XSS in the administration console non-critical?

  12. smells fishy alright by Anonymous Coward · · Score: 0

    Have they hired someone new @ Barracuda to help "wallpaper" the net with junk news about their company. Look for lotsa robo-spam on many forum posts next, I guess.

    I noticed that someone in the last couple days posted 4 or 5 glowing reviews of their workplace on glassdoor.com. Just about the only positives present there...

  13. I'm working on a better bounty program by jimktrains · · Score: 1

    I was in the middle of writing a site for bug/feature bounties that any project could sign up and use, but I'm not quite able to demo it yet. I've slowed work because I got tons of negative feedback on the idea from people thinking that it's a beaten concept and there was no reason to write a (better) app since others are out there. I'm still working, but slowly.

    --
    "You will do foolish things, but do them with enthusiasm." - S. G. Colette
  14. Rule of First Sale by Anonymous Coward · · Score: 0

    You can always just sell it for some cash.

  15. cuda sux by Anonymous Coward · · Score: 0

    Barracuda is an ungrateful company. You should try working there...

  16. Another poor implementation... by Anonymous Coward · · Score: 0

    Why an organization would attempt to limit the bug submission process to only a select few products is ridiculous. You completely eliminate other issues which can be discovered as proven by the comments in the article posted above. Why not allow an open submission process with specific parameters on financial compensation for submission. Google should be reading this as well. By adopting this policy it will ultimately improve all software released as well as not punish those who are inclined to want to challenge themselves mentally by finding bugs and gaps in software. There seems to be a disturbing trend in the corporate world as of late with the prosecution of hackers/crackers etc. If this trend continues we will be in trouble. Eventually the age of the white and black hat hackers will fade and all we will be left with is Black hat hackers and Grey Hat hackers who simply just keep their mouths shut.