Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Joys of Running a Bug Bounty Program

Posted by timothy on from the do-you-guys-buy-moths-as-well-as-caterpillars? dept.

Trailrunner7 writes "When Barracuda Networks started its bug bounty program about three months ago, company officials weren't exactly sure what to expect. They didn't know whether there'd be an onslaught of submissions or the sound of crickets chirping. The reality turned out to be somewhere in the middle. Overall, the company has been getting about 10 bug reports a month, none of which has been very serious. But that doesn't mean the program hasn't been a success. Peck said that Barracuda also had run into the same problem that Google and others have: hackers don't pay much attention to directions. The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site."

14 of 52 comments (clear)

  1. Hackers and directions by MrEricSir · · Score: 2

    Hell, I could have told you that hackers don't read directions.

    But would you have read my advice?

    --
    There's no -1 for "I don't get it."
    1. Re:Hackers and directions by symbolset · · Score: 2

      If you give web designers a place to submit bug reports on your website, even if it's not exactly topical, they'll use it. Some web designs are truly unfortunate. If HP published the physical location of their web design teams they'd probably have to enroll them in something similar to a witness protection program.

      --
      Help stamp out iliturcy.
    2. Re:Hackers and directions by Anonymous Coward · · Score: 2, Funny

      Wait, this was covered in Dilbert years ago.
      The pointy-haired boss announced there would be bonuses based on bugs found.

      Wally shouted "woo hoo, I'm writing myself a minivan today"

  2. Pay up if they fix the "out of bounds" issues by PatPending · · Score: 2

    The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners' products or in the Barracuda corporate Web site."

    If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

    --
    What one fool can do, another can. (Ancient Simian Proverb)
    1. Re:Pay up if they fix the "out of bounds" issues by Wrath0fb0b · · Score: 4, Insightful

      If they do in fact fix those "out of bounds" issues and/or its corporate web site then they should pay something to the discoverer. Only if they don't do anything about them should they not pay anything.

      If I ask a contractor to assess my foundation and he tells me that my water heater is busted, do I owe him money if I later replace the heater? There was an explicit deal regarding which flaws qualify for bounties and which do not. If someone submits one contrary to an honest reading of those terms, they are owed nothing.

    2. Re:Pay up if they fix the "out of bounds" issues by Voyager529 · · Score: 2

      That depends. You're right if you're asking him to limit his assessment to the foundation, however, if he sees that the water heater is set to burst in such a manner that when it does break that it will damage the foundation, then yes, I'd say you're still on the hook. At the end of the day, a risk to the foundation was found. If you're limiting the risk to only those which have already manifested, then yes the case could be argued, but you'd be a fool to not consider it an assessment within the scope of the question. There's a difference between that (finding a secondary answer to the question being asked) and simply saying that the heater is broken so your water won't be hot. I'd say that the former should still count, while the latter should not.

    3. Re:Pay up if they fix the "out of bounds" issues by kaiser423 · · Score: 2

      If it saved you money and/or fixed a problem; aka his service reaped unexpected obunties, I would think that the respectful thing to do would be to pay him. But then again, I do actually want people to tell me when other things outside of scope are wrong, because, you know, that's helpful and worth something.

    4. Re:Pay up if they fix the "out of bounds" issues by JWSmythe · · Score: 2

          Actually, it's much different than that.

          It would be like you hired a contractor to assess the foundation of your house (your application), and instead he tells you about problems the front door on the adjoining house (your website), or about the foundation of houses in another state (competitors applications). Only an idiot would pay for such a report.

          If (and only if) they asked for a comprehensive evaluation of the security of their company, would the web site be included in it, unless the web site is essential to the operation of their application. If they intended to get paid for the work, they shouldn't have reported it through the bug tracking system. It could have been reported independently. I didn't read far enough to see if the bugs were really security bugs, or if they were simply rendering errors.

      --
      Serious? Seriousness is well above my pay grade.
    5. Re:Pay up if they fix the "out of bounds" issues by SharpFang · · Score: 3

      Actually, they are owed gratitude and what little courtesy demands. You have no contractual obligation to reward them, but in all fairness, if they discovered an error you didn't know about, where you didn't expect it, they deserve some kind of gratitude.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    6. Re:Pay up if they fix the "out of bounds" issues by TubeSteak · · Score: 3, Funny

      Water heaters aside, I think you'd be wise not to piss of people who have shown they can find holes in your product &/or corporate website, regardless of their ability to follow directions.

      --
      [Fuck Beta]
      o0t!
  3. Barracuda by American+AC+in+Paris · · Score: 4, Funny

    ...does "your messaging client is such a kludge that I would frankly rather try use an actual elongated carnivorous fish to IM with my co-workers" count as a bug?

    --

    Obliteracy: Words with explosions

  4. Puny bounties by Animats · · Score: 3, Funny

    There was once a real-time OS company that gave you a Bug, a Volkswagen Beetle, if you found a bug in their OS. They gave away about two cars a year, and it was worth it.

  5. Re:What? by sortius_nod · · Score: 2

    I'm thinking you don't either by saying that it's "guessing".

    An informed guess is different to a blind guess, and to be quite frank, blind guesses don't generally find exploits or bugs.

    That said, running in and guessing isn't what you do when you want to break a system, generally you need to know how the system works, or know enough to be able to theorise what might break it. It has nothing to do with guessing.

  6. Not Just Hackers by Bieeanda · · Score: 4, Insightful

    I hate to break it this way, but most people don't have the QA skills of a goldfish. Most of them, even given guidelines, walkthroughs, or even formal instruction on how to write a bug report, would rather just drop a single, unhelpful line and get back to waiting for a cheque.