Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bug Bounties: Outbidding the Black Hats

Posted by Soulskill on from the all-about-the-benjamins dept.

snydeq writes "Fatal Exception's Neil McAllister discusses whether independent software developers should follow in the footsteps of Google and Mozilla and begin offering bug bounties before black hats pay up for their undisclosed software flaws. 'Whichever side of the fence you fall on, the fact is that bounties are being paid for undisclosed software flaws. They're just not always being paid by the vendor who developed the software. As ever more commercial data moves into the cloud and the stakes for cyber crime rise, black hat hackers are offering real money for exploitable bugs. In turn, when exploits happen, vendors may be held legally liable for any customer data that was compromised. Maybe it's time more software shops thought seriously about using their own cash to turn the tide in their favor.'"

12 of 59 comments (clear)

  1. Paying people to find bugs? by Hatta · · Score: 2

    What a novel idea!

    --
    Give me Classic Slashdot or give me death!
    1. Re:Paying people to find bugs? by mabhatter654 · · Score: 2

      seriously though, from the point of view of somebody that makes software this is still blackmail.

      Imagine if we held home builders to the same standard... I'm going to run around your neighborhood with tire irons, deer grill on my 4x4, and a lock pick set and if I get into your house (by ripping out the porch or windows) , it's still YOUR fault?

      If we're going to play that way, then just allow companies like Apple and Microsoft to hire Blackwater for some anti-hacker work! Much like bounty hunters, give them an international license and something so they can tag their kills and drop the bodies off at the authorities no questions asked. Let's even the playing field. If no laws apply on-line let's get rid of the pesky laws that keep corporations and information owners from fighting back!!!

      Somebody should make a book about this...online/offline wars over hacking... it'd be a big seller.

    2. Re:Paying people to find bugs? by Hatta · · Score: 2

      Nonsense. This is a great deal for software companies. Instead of paying people a salary whether there find any bugs or not, you get people to work for free and only pay them when they find bugs.

      --
      Give me Classic Slashdot or give me death!
  2. This overlooks various marketing opportunities by afourney · · Score: 4, Insightful

    Bug bounties are paid once. Meanwhile, there are many black hats who may be willing to pay for an exploit package, access to bot nets, etc. I imagine there is more money to be made using bugs for nefarious purposes.

    1. Re:This overlooks various marketing opportunities by Riceballsan · · Score: 4, Insightful

      I don't think the bug bounties will ever match the insane prices that black hats will sell these things for, but they can motivate the white and grey hats to spend more time looking for the bugs. The black hats have the perk that they can more or less turn the hunting into a full fledged job, find the right 2-3 exploits and you can make profits that legitimate programmers make in 5 years, but for every one of those guys, there's 10 people who work 9-5 and could probably use a bit of extra cash, $1000 or so isn't a bad incentive to spend a few extra hours each night looking around for something, it's also something that could look good on the resume for a starting programmer, and substantial money to say a teenager. Rather then spending 80K on one good black hat, you can spend 70k and keep thousands of white/grey hats from all walks of life. Heck there's some mistakes that I'm sure a bored teenage prodigy would catch that an experienced veteran programmer would miss just because they see things differently.

    2. Re:This overlooks various marketing opportunities by gnick · · Score: 2

      Criminals know there's a chance of getting caught, but it's simple risk/benefit.
      X = Perceived chance of getting caught
      P = Penalty if caught
      $ = Profit of legitimate version of endeavor
      $' = Profit of illegitimate version of endeavor
      M = Offset for positive moral feeling (varies per individual)
      T = Thrill factor of going outside the law (varies per individual)
      If $'-XP+T > $+M, a person goes criminal. Note that all values must be converted to personal 'worth' of cash/emotion.

      --
      He's getting rather old, but he's a good mouse.
    3. Re:This overlooks various marketing opportunities by BZ · · Score: 2

      For what it's worth, the bored teenage prodigy effect has certainly come up at least in Mozilla's case, and 2-3 bug bounties is indeed pretty good money for a teenager!

  3. lies by Anonymous Coward · · Score: 2, Insightful

    The article's claim that Microsoft would have to open-up its source to allow bug bounties is rubbish. Google offers bounties for its web applications, and they are hardly open source. There are plenty of vulnerabilities that can be found using black-box techniques. Facebook isn't open source either and will shortly be offering bounties: http://news.softpedia.com/news/Facebook-Prepares-to-Launch-Bug-Bounty-Program-201405.shtml (I regret deleting my facebook account)

    Experts like Schneier may point out that bounties don't offer great value for time for professionals, but as a student the money is quite an incentive for me.

    1. Re:lies by TheLink · · Score: 2

      Experts like Schneier may point out that bounties don't offer great value for time for professionals, but as a student the money is quite an incentive for me.

      Or someone working in a poorer country. Salaries are much lower in poorer countries.

      And a lot of people would rather deal with Google than deal with the underworld. They might offer more but what do you do if they don't pay up, or come to take it back just because they claim your exploit didn't work (PEBKAC?), or because they feel like it?

      --
    2. Re:lies by Anonymous Coward · · Score: 2, Interesting

      Plenty of security researchers have sufficient ethics/common sense not to attempt to sell vulnerabilities on the black market. They typically either practise 'responsible' or 'full' disclosure, or sit on the vulnerability if the vendor has a reputation of taking people to court. Hell even for a blackhat it is often simpler/safer to exploit the vulnerability yourself then sell the cards/passwords you got with it.

  4. Capitalism at work by chill · · Score: 3, Funny

    Dilbert #1

    Dilbert #2 -- Also explains IE 6

    --
    Learning HOW to think is more important than learning WHAT to think.
  5. I foresee economic problems by v1 · · Score: 4, Interesting

    Cash For Exploits has several problems:

    1) a hacker that manages to engineer a zero-day has a whole line of customers willing to pay serious money for it. Malware authors that just got their cash cow's exploit patched last week are foaming at the mouth waiting for a new zero-day to put them back on track. They're making lots of money on their malware and are definitely willing to pay to keep it running a few more months. Companies aren't usually willing to pay a lot for an exploit. (there are exceptions but they are still uncommon) I'd love to see some hard numbers on what an average malware author nets a month.

    2) said hacker can sell it more than once. Possibly many times. Why sell your exploit to the vendor once when you can sell it 100 times to other people? Is the vendor really going to be willing to pay you 100x what one desperate malware author can pay? Hard numbers on what a zero day ends up paying off would be really interesting to look at, and is what the vendors need to be considering when setting their bounties.

    3) vendors downplay vulnerabilities as a way of life. They have every reason to tell you that the hole you discovered is of little value and try to cheat you on the payoff. On the other hand, selling it to the malware community is a reputation based system. Sell crap and it will hurt your reputation and hurt your business. They know a good exploit when they see it and will pay you what it's worth. The hacker can either make themselves the Bitch or the Man. Being the Man will naturally be more profitable.

    4) if the vendors start snatching up the exploits, it's just going to drive up the price of them on the black market. And any good salesman sells to the highest bidder. At some point, the black market price is going to exceed whatever the vendors are willing to pay. Desperate customers with deep pockets will still get their hands on the exploits. (though this would arguably reduce the number of them in the wild due to higher cost)

    5) lets not forget that if you create a legitimate reason to hack your product, it will increase the number of exploits found. Some consider this a good thing, but a lot of vendors consider this a bad thing. And they're usually impossible to convince otherwise.

    --
    I work for the Department of Redundancy Department.