Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug Bounties: Outbidding the Black Hats

Posted by Soulskill on from the all-about-the-benjamins dept.

snydeq writes "Fatal Exception's Neil McAllister discusses whether independent software developers should follow in the footsteps of Google and Mozilla and begin offering bug bounties before black hats pay up for their undisclosed software flaws. 'Whichever side of the fence you fall on, the fact is that bounties are being paid for undisclosed software flaws. They're just not always being paid by the vendor who developed the software. As ever more commercial data moves into the cloud and the stakes for cyber crime rise, black hat hackers are offering real money for exploitable bugs. In turn, when exploits happen, vendors may be held legally liable for any customer data that was compromised. Maybe it's time more software shops thought seriously about using their own cash to turn the tide in their favor.'"

59 comments

  1. Re:Stand back! by Anonymous Coward · · Score: 0

    And we all know YOU work...

  2. Paying people to find bugs? by Hatta · · Score: 2

    What a novel idea!

    --
    Give me Classic Slashdot or give me death!
    1. Re:Paying people to find bugs? by mabhatter654 · · Score: 2

      seriously though, from the point of view of somebody that makes software this is still blackmail.

      Imagine if we held home builders to the same standard... I'm going to run around your neighborhood with tire irons, deer grill on my 4x4, and a lock pick set and if I get into your house (by ripping out the porch or windows) , it's still YOUR fault?

      If we're going to play that way, then just allow companies like Apple and Microsoft to hire Blackwater for some anti-hacker work! Much like bounty hunters, give them an international license and something so they can tag their kills and drop the bodies off at the authorities no questions asked. Let's even the playing field. If no laws apply on-line let's get rid of the pesky laws that keep corporations and information owners from fighting back!!!

      Somebody should make a book about this...online/offline wars over hacking... it'd be a big seller.

    2. Re:Paying people to find bugs? by Hatta · · Score: 2

      Nonsense. This is a great deal for software companies. Instead of paying people a salary whether there find any bugs or not, you get people to work for free and only pay them when they find bugs.

      --
      Give me Classic Slashdot or give me death!
    3. Re:Paying people to find bugs? by Jibekn · · Score: 1

      Your analogy is flawed, homes are not designed to be burglar proof, while software is (theoretically). A proper analogy would be to liken this to someone breaking out of prison, without a trace, and refusing to tell anyone how they did it without being paid, which I would call very reasonable, especially if this person in question is not a convict, just a security consultant.

    4. Re:Paying people to find bugs? by oliverthered · · Score: 1

      It's more like someone sending two satellites up into space to prove or disprove the theory of relativity.

      Then someone sending more to prove it wrong again.

      only more like, since software is or should be duelist.

      --
      thank God the internet isn't a human right.
    5. Re:Paying people to find bugs? by TheRaven64 · · Score: 1

      seriously though, from the point of view of somebody that makes software this is still blackmail.

      I've given up reporting bugs in proprietary software. When I file bug reports with free software projects, someone usually fixes them, and we both benefit from improved software. When I file bugs in proprietary software, I usually find that I am expected to pay for the next version, which fixes the bug. I do QA for them, but get nothing in return.

      I don't sell the bug reports to black hats (although one of the last ones that I reported in OS X was exploitable - I think that one's fixed now). There's no blackmail involved. They can either pay me to give them a detailed report (including payments in kind, such as access to the bug-fixed version), or they can pay someone else to find the bug.

      --
      I am TheRaven on Soylent News
    6. Re:Paying people to find bugs? by munky99999 · · Score: 1

      Actually we have building inspectors that ensure building work is done properly. If you wish the analogy to be true we will need to implement code inspectors who ensure it is problem free. In other words exploit-free. Im pretty sure recently the Americans considered trying this and basically all software developers grabbed their swords and put them to the neck of those involved.

    7. Re:Paying people to find bugs? by mabhatter654 · · Score: 1

      we license Doctors, lawyers, engineers, accountants... heck even auto mechanics and hair stylists ... we even license TOYS for safety now... You'll note we don't license Executives, we don't license Wall Street investment bankers... I think software will have to have some minimum licensing... or companies like Google, Microsoft, Apple, Sony will simply lobby to have their platforms legally locked down and hacking enforced by law... with guns.

    8. Re:Paying people to find bugs? by Anonymous Coward · · Score: 0

      Police officers can have training,license... but that doesn't directly reduce criminality.
      I can't see how software developers licensing would solve this problem, and you can take example in companies who comply to all those "security certifications" and also fall pray to hackers.
      Banks pay quite a big chunk of money to protect their vaults and they DO get robbed.

      I think here the best fit is....“you can’t solve a problem with the same mind that created it.”

  3. This overlooks various marketing opportunities by afourney · · Score: 4, Insightful

    Bug bounties are paid once. Meanwhile, there are many black hats who may be willing to pay for an exploit package, access to bot nets, etc. I imagine there is more money to be made using bugs for nefarious purposes.

    1. Re:This overlooks various marketing opportunities by Anonymous Coward · · Score: 1

      It is always going to be more profitable in the short term to be dishonest. That's the whole point of dishonesty.

      The goal here is to push people a bit more toward honesty, most would prefer to make a dollar honestly than a hundred dishonestly.

    2. Re:This overlooks various marketing opportunities by Riceballsan · · Score: 4, Insightful

      I don't think the bug bounties will ever match the insane prices that black hats will sell these things for, but they can motivate the white and grey hats to spend more time looking for the bugs. The black hats have the perk that they can more or less turn the hunting into a full fledged job, find the right 2-3 exploits and you can make profits that legitimate programmers make in 5 years, but for every one of those guys, there's 10 people who work 9-5 and could probably use a bit of extra cash, $1000 or so isn't a bad incentive to spend a few extra hours each night looking around for something, it's also something that could look good on the resume for a starting programmer, and substantial money to say a teenager. Rather then spending 80K on one good black hat, you can spend 70k and keep thousands of white/grey hats from all walks of life. Heck there's some mistakes that I'm sure a bored teenage prodigy would catch that an experienced veteran programmer would miss just because they see things differently.

    3. Re:This overlooks various marketing opportunities by Anonymous Coward · · Score: 1

      I don't think that's true. I think that most people would prefer to make a dollar they will keep than a hundred that could be seized by law enforcement officials, but that's not the same thing. Lots of people do all kinds of unethical but legal things simply because it means more money. There are some who think as you describe but they are a minority, and even most of them would compromise those principles if they really needed the hundred dollars.

    4. Re:This overlooks various marketing opportunities by hedwards · · Score: 1

      I doubt that comes into the picture. Criminals in general don't assume that they're going to be caught, there are exceptions, but most don't think they'll be caught. Especially for cybercrime where they frequently hide out in places where the government can't or won't prosecute them.

    5. Re:This overlooks various marketing opportunities by countertrolling · · Score: 1

      And besides, the police will just as likely steal your honest dollar as 'drug proceeds'. Good luck getting it back.. Honesty, and even basic humanity has become a quaint old anachronism. Even the illusion (with the US gone down the tubes over the last tens years) has seriously deteriorated. It just doesn't pay. Crime and general savagery, however, is quite the opposite story

      --
      For justice, we must go to Don Corleone
    6. Re:This overlooks various marketing opportunities by gnick · · Score: 2

      Criminals know there's a chance of getting caught, but it's simple risk/benefit.
      X = Perceived chance of getting caught
      P = Penalty if caught
      $ = Profit of legitimate version of endeavor
      $' = Profit of illegitimate version of endeavor
      M = Offset for positive moral feeling (varies per individual)
      T = Thrill factor of going outside the law (varies per individual)
      If $'-XP+T > $+M, a person goes criminal. Note that all values must be converted to personal 'worth' of cash/emotion.

      --
      He's getting rather old, but he's a good mouse.
    7. Re:This overlooks various marketing opportunities by BZ · · Score: 2

      For what it's worth, the bored teenage prodigy effect has certainly come up at least in Mozilla's case, and 2-3 bug bounties is indeed pretty good money for a teenager!

    8. Re:This overlooks various marketing opportunities by Anonymous Coward · · Score: 0

      Hmmm find and report bugs and get paid or just spend time finding and reporting bugs with no pay. Easy choice - if everyone else is getting paid for this, why should I find bugs and report them to companies for free? I mean after all, they are making millions off of my reporting. Discovering attack vectors and reporting them allows companies to modify their products and the algorithms they employ. Essentially this helps the company create better IP and profit further in the future from better more secure products. Thinking about it, it kind of seems like a scam to get people to report things for free. I know, its like a moral thing, we can help protect people, etc. etc. But really are people really getting protected? I mean these same companies are still selling and sharing the customer data, except they are getting paid for it. It seems more like all that's happening is shareholder profits are being protected and companies are improving their IP, without having to pay anyone anything.

      I understand those that use this reporting for the reputation, or their side businesses - but lets be real, people are seldom reporting findings just to report them - so the real difference between hat colors seem to be who is ultimately profiting.

      Just some thoughts.

    9. Re:This overlooks various marketing opportunities by oliverthered · · Score: 1

      You missed off. System fucked you up.

      So M could be on either side.

      --
      thank God the internet isn't a human right.
    10. Re:This overlooks various marketing opportunities by Anonymous Coward · · Score: 0

      There's one big difference. The companies that provide the service and develop the IP are held accountable by law for protecting their customer's information. If blackhats are selling off exploits to questionable individuals or companies, those companies are already operating outside the law, and are more likely to abuse a customer's information.

      This may be an overdramatization of things, but imagine one day you come home to find that your house broken into, all of your valuables have been stolen. Minutes later, the police show up because someone reported the break-in, and they arrest you because your identity has apparently been stolen and someone has been committing crimes in your name. While I personally am not a fan of how corporations profit off of their customers' personal information, they're far less likely to handle it intentionally in a way that ruins someone's life.

    11. Re:This overlooks various marketing opportunities by Ihmhi · · Score: 1

      Shit, that's how modern business works, not just your everyday individual criminal. Recall if you will the "car recall" speech from Fight Club.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    12. Re:This overlooks various marketing opportunities by Anonymous Coward · · Score: 0

      Just allow M to be negative, and his formula holds again.

    13. Re:This overlooks various marketing opportunities by oliverthered · · Score: 1

      That would be your personal opinion.

      Allow it to be negative, fine, just put it on the other side.

      Your making a judgement of value based from your perspective.

      --
      thank God the internet isn't a human right.
    14. Re:This overlooks various marketing opportunities by oliverthered · · Score: 1

      It's more given any set of deeds where one tends to deeds the set of deeds with least resistance would be chosen. stress testing may be required. ponzi schemes set-up, choose an existing one you make your own or do some interfacing.

      There does however exist a set of people who tend to faith, this system seems bizarre to the deed doers. But an old time measure (martin Luthor) related to the notion of free will.

      The is to say it was the deed of eating the apple from the tree of knowledge that was bad.
      vs
      The corruption of innocence, to know of but not be bad.

      Some could say that it's all an allegory of a cave, others empathy or mirror neurons and alternative learning styles.

      --
      thank God the internet isn't a human right.
    15. Re:This overlooks various marketing opportunities by Geminii · · Score: 1

      Yeah, but the ten guys putting in a couple of hours are going to duplicate a lot of each others' work when it comes to finding the really deep bugs. Buffer overruns are easy, subtle implications of common yet ever-so-slightly mismatched data structures spread across fourteen modules are less so.

  4. lies by Anonymous Coward · · Score: 2, Insightful

    The article's claim that Microsoft would have to open-up its source to allow bug bounties is rubbish. Google offers bounties for its web applications, and they are hardly open source. There are plenty of vulnerabilities that can be found using black-box techniques. Facebook isn't open source either and will shortly be offering bounties: http://news.softpedia.com/news/Facebook-Prepares-to-Launch-Bug-Bounty-Program-201405.shtml (I regret deleting my facebook account)

    Experts like Schneier may point out that bounties don't offer great value for time for professionals, but as a student the money is quite an incentive for me.

    1. Re:lies by TheLink · · Score: 2

      Experts like Schneier may point out that bounties don't offer great value for time for professionals, but as a student the money is quite an incentive for me.

      Or someone working in a poorer country. Salaries are much lower in poorer countries.

      And a lot of people would rather deal with Google than deal with the underworld. They might offer more but what do you do if they don't pay up, or come to take it back just because they claim your exploit didn't work (PEBKAC?), or because they feel like it?

      --
    2. Re:lies by Anonymous Coward · · Score: 2, Interesting

      Plenty of security researchers have sufficient ethics/common sense not to attempt to sell vulnerabilities on the black market. They typically either practise 'responsible' or 'full' disclosure, or sit on the vulnerability if the vendor has a reputation of taking people to court. Hell even for a blackhat it is often simpler/safer to exploit the vulnerability yourself then sell the cards/passwords you got with it.

    3. Re:lies by Anonymous Coward · · Score: 0

      (I regret deleting my facebook account)

      You didn't. There's no way to. Try logging back in, you'll be surprised.

    4. Re:lies by Desler · · Score: 1

      The article's claim that Microsoft would have to open-up its source to allow bug bounties is rubbish.

      That's because the article writer, and the many people on Slashdot who have said the same thing, are morons. For example, Ilfak Guilfanov the main developer of IDA PRO posted his own hotfix for a Windows vulnerability years ago without ever having access to "teh codez". This notion that people found security issues through staring at the code is laughably wrong and is written by idiots who are ignorant of the topic at hand.

    5. Re:lies by Anonymous Coward · · Score: 0

      Hell even for a blackhat it is often simpler/safer to exploit the vulnerability yourself then sell the cards/passwords you got with it.

      Yeah, that might be why some are offering higher prices. Even the blackhats don't want to sell too cheap. Because if it turns out you sell your exploit to the wrong sort, things might be traced to you (follow the money) and you end up doing time.

      Fact is if you're very clever and don't mind doing unethical things to make lots of money, you'd be better off using your brains in the financial world. Because there you can do unethical things AND make millions LEGALLY. Even when shit hits the fan, you usually get to keep the money.

    6. Re:lies by mysidia · · Score: 1

      They might offer more but what do you do if they don't pay up, or come to take it back just because they claim your exploit didn't work (PEBKAC?), or because they feel like it?

      I suspect, this is where Bitcoin comes in.

      Or a 'trusted' escrow.

      Or a deal like 'half the $$$ up front' and 'half when the customer approves'

      Or.... proof of concept up front; delivery of final product after $$$ irreversibly paid.

    7. Re:lies by Anonymous Coward · · Score: 0

      They prepay (I've always got western union wires). I've never had someone go ZOMG DOESN"T WORK HURR DURR. Why risk someone fucking up your botnets C&C, because you wanted to save a little money?

  5. Reason to work for the good guys by Anonymous Coward · · Score: 0

    Black hats dont give references...

    1. Re:Reason to work for the good guys by mabhatter654 · · Score: 1

      but they do have cookies!

      the light side has milk... bummer.

    2. Re:Reason to work for the good guys by munky99999 · · Score: 1

      Why do you say that? Black hats can just say they are security researchers... until their name gets a headline they are as good a reference as anyone else. Though why even bother going this far? Most people I know just reference each other and establish fake companies that they all know how they operated in the company. Complete bullshit stories. Which realistically in the long run all references really are bullshit.

  6. Capitalism at work by chill · · Score: 3, Funny

    Dilbert #1

    Dilbert #2 -- Also explains IE 6

    --
    Learning HOW to think is more important than learning WHAT to think.
  7. Re:Nice business model by Anonymous Coward · · Score: 1

    Sure, you could simply divert the rounded-off pennies of interest deposits to a swiss bank account. No one will ever notice, it's perfect.

  8. I foresee economic problems by v1 · · Score: 4, Interesting

    Cash For Exploits has several problems:

    1) a hacker that manages to engineer a zero-day has a whole line of customers willing to pay serious money for it. Malware authors that just got their cash cow's exploit patched last week are foaming at the mouth waiting for a new zero-day to put them back on track. They're making lots of money on their malware and are definitely willing to pay to keep it running a few more months. Companies aren't usually willing to pay a lot for an exploit. (there are exceptions but they are still uncommon) I'd love to see some hard numbers on what an average malware author nets a month.

    2) said hacker can sell it more than once. Possibly many times. Why sell your exploit to the vendor once when you can sell it 100 times to other people? Is the vendor really going to be willing to pay you 100x what one desperate malware author can pay? Hard numbers on what a zero day ends up paying off would be really interesting to look at, and is what the vendors need to be considering when setting their bounties.

    3) vendors downplay vulnerabilities as a way of life. They have every reason to tell you that the hole you discovered is of little value and try to cheat you on the payoff. On the other hand, selling it to the malware community is a reputation based system. Sell crap and it will hurt your reputation and hurt your business. They know a good exploit when they see it and will pay you what it's worth. The hacker can either make themselves the Bitch or the Man. Being the Man will naturally be more profitable.

    4) if the vendors start snatching up the exploits, it's just going to drive up the price of them on the black market. And any good salesman sells to the highest bidder. At some point, the black market price is going to exceed whatever the vendors are willing to pay. Desperate customers with deep pockets will still get their hands on the exploits. (though this would arguably reduce the number of them in the wild due to higher cost)

    5) lets not forget that if you create a legitimate reason to hack your product, it will increase the number of exploits found. Some consider this a good thing, but a lot of vendors consider this a bad thing. And they're usually impossible to convince otherwise.

    --
    I work for the Department of Redundancy Department.
    1. Re:I foresee economic problems by Anonymous Coward · · Score: 1

      Why sell your exploit to the vendor once when you can sell it 100 times to other people?

      Why not do both? First sell it on the black market, then when that revenue stream starts to dry up turn around and sell it to the vendor. This strategy has the added bonus of increasing demand on your next exploit when the vendor gets around to fixing the bug you've already sold.

    2. Re:I foresee economic problems by Anonymous Coward · · Score: 0

      in response to your #2 - seems that the vendor is only paying for the priviledge of viewing the exploit; it can never really be owned by the vendor because it's the IP of the blackhat.

    3. Re:I foresee economic problems by poppopret · · Score: 1

      Hard numbers on what a zero day ends up paying off would be really interesting to look at, and is what the vendors need to be considering when setting their bounties.

      OK, look at the size of the US government's black budget. This is what they need to outbid. Oh, but the budget will change as required.

      In case you can deliver the goods, my gmail address is doubleplusgoodalbert. We're hiring.

    4. Re:I foresee economic problems by Sulphur · · Score: 1

      I'd love to see some hard numbers on what an average malware author nets a month.

      Ask either that answer to that or to a question for which you know the answer. The data can be separated.

  9. Cake and eat it too? by Anonymous Coward · · Score: 0

    I think software vendors not only need to buy up these bugs, but they need to deal with the fact that the person who found it is going to sell it to malware kit authors. The difference is that the vendors can start working on patching it and/or come up with work-arounds and notify customers.

  10. Protection against crime by Pf0tzenpfritz · · Score: 1

    Protection against crime is not an issue "the market should regulate". Basically paying for bugs -to protect yourself or your customers from illegal actions- is privatizing justice and a deeply undemocratic thing. To be protected from crime is what all the "security" measures by governments claim to be about and it is not a matter of weath how much or how good individual protection is.

    --
    Oh, the beautiful gloss of greality!
    1. Re:Protection against crime by Anonymous Coward · · Score: 0

      Protection against crime is not an issue "the market should regulate". Basically paying for bugs -to protect yourself or your customers from illegal actions- is privatizing justice and a deeply undemocratic thing. To be protected from crime is what all the "security" measures by governments claim to be about and it is not a matter of weath how much or how good individual protection is.

      Nonsense. This is like saying that having a market for locks and safes is privatizing justice. Justice is what you want after a crime has been committed, but the best solution is always to prevent the crime from happening at all.

      This is having the market regulate prudence, not justice. The reason why it works is because markets are good at managing scarcity.

      The scarcities here are scarce resources to devote to securing software vs. scarce resources that could be threatened by a criminal act. So you have to decide how much to spend on each. And only you, as an independent market actor, can really know how much each is worth to make reasonable decisions.

      The police can't do it because they're not in your shoes. They're not in a position to evaluate your resources and the risks you're taking on a day to day basis. And, as much you might like cops on a personal level, you probably wouldn't want them to try.

    2. Re:Protection against crime by munky99999 · · Score: 1

      So you think the security researchers should only sell to the government? Or work for free? You're nuts.

  11. Re:Nice business model by mysidia · · Score: 0

    1. Program flaws into your own software. Hiding them is a lot easier with closed-source, by the way.

    Not necessarily. That depends on the complexity of the vulnerability; who you're hiding from, and why/what people are looking for. The source code just makes certain obvious bugs easier to find.

    There are more people who can read high-level source code than there are assembly hackers.

    It's very easy to effectively hide flaws in plain sight, if you know what you are doing; closed source or not. Auditing source code is harder than utilizing techniques such as fuzzing.

    There are some exploits discovered through source code analysis, but most vulnerabilities are discovered surreptitiously, by testing unusual conditions and finding that, the program crashes, or fails, on a certain input, for example.

    The failure can then be explored, the binary can be dissassembled, to determine exploitability of the found bug.

  12. Depends on the price. Maybe we should bid. by elucido · · Score: 1

    For $1000 no. For $5000-$10,000 yes.

    Only because we know companies like Google, Microsoft,Facebook and others have the money.

  13. no, law enforcement is the buyer by poppopret · · Score: 1

    They pay pretty well if they trust you. They sure won't seize back what they just payed you. Email doubleplusgoodalbert at my gmail account if you'd like a job doing this. US citizens only, sorry.

  14. Totally Bunk, Unsourced Microsoft objection by Anonymous Coward · · Score: 0

    "To create a bug bounty program with the breadth of Google's or Mozilla's, Microsoft would have to open its proprietary code to the rank and file."

    The author starts off with the acknowledgment that vulnerabilities are _already_ being sold, then throws out this piece of nonsense. No, they really wouldn't have to open their codebase. MS bugs are already sold regularly. They're already sold on the black market, to governments, white hat organizations, and hoarded by exploit pack developers. And I think it's safe to say that few if any of those people had access to the source code.

    On top of that, the way this was written it's untrue if this objection comes directly from Microsoft or if the author merely pulled it out of his ass. Boo.

  15. Selling to a black hat is stupid by Stan92057 · · Score: 1

    Selling to a black hat is stupid, he/she will use it for criminal activities that will send you to jail as well as the Black Hat. Your future will be ruined unless an anti virus company hires you. They do have a history of hiring the bad guys.

    --
    Jack of all trades,master of none
    1. Re:Selling to a black hat is stupid by munky99999 · · Score: 1

      Has anyone in a 1st world country ever been arrested for selling an exploit to another person who may have used it illegally? Hell catching actual blackhats is ridiculously low... going to court with someone who sold an exploit is going to be pretty fuckin difficult. I could sell a gun to someone and they might then go use it to kill someone but that's hardly my problem.

  16. My 0-day by munky99999 · · Score: 1

    So I wrote my 0day. It's just a denial of service at this point because the actual exploit is heap-based and I'm a total noob and cant write a heap based exploit. This is an application that if I were to nmap the internet I'm sure I would find LOTS of this; as the whole purpose of the application is about being web-faced. The actual software has been included in lots of products.

    I contact the software developer and say, "Hey I have a denial of service vulnerability that could be written into a remote code execution but I'm rather new and dont really wish to do that. So it remains a DOS." They respond back to me "Since it's just a DOS we dont really care" though not in those exact words.

    So what do I do? I could sell to some badguy who then builds the next largest botnet using it; which I then get kidnapped by organized crime and forced to code exploits. Or I could sit on it as if I never did anything. Well that's what I did mainly because it's a newb exploit and dont want to be embarrassed by how lame it is.

    Guess what.. That's the majority of software developers. Which is why most vulnerabilities get dropped on exploitdb full disclosure and they make no money. The few vendors who will pay for bugs and work with researchers are genuinely good guys who want to secure their software.

    What we need though is a Software Recall system. New 0day? code execution? All that software must be recalled and patched else you are liable for damages.

    1. Re:My 0-day by Anonymous Coward · · Score: 0

      Try Zero Day Initiative. If the software is as major as you say you may get ~$5k for it. More if you can write a proper PoC.

  17. Pay employees, not bounties by Anonymous Coward · · Score: 0

    Let's step back a second. The reason that bug bounties exist is because these software makers want to avoid having to pay one or more salaries for security testing. Normal, law-abiding workers can't make a living by competing to find exploits. It requires tons of expertise and offers very little pay on a per-hour basis. If these companies are serious about security, they would start hiring more experts to do security testing full-time.

    As long as companies are using bounties to avoid the real expense of security testing, they absolutely cannot be taken seriously when it comes to improving security. Outbidding black hats is just another punchline to the same joke.