Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case For a Government Bug Bounty Program

Posted by Soulskill on from the 40-cents-for-a-cockroach,-75-cents-for-a-bedbug dept.

Trailrunner7 writes "Bug bounty programs have been a boon for both researchers and the vendors who sponsor them. From the researcher's perspective, having a lucrative outlet for the work they put in finding vulnerabilities is an obvious win. Many researchers do this work on their own time, outside of their day jobs and with no promise of financial reward. The willingness of vendors such as Google, Facebook, PayPal, Barracuda, Mozilla and others to pay significant amounts of money to researchers who report vulnerabilities to them privately has given researchers both an incentive to find more vulnerabilities and a motivation to not go the full disclosure route. This set of circumstances could be an opportunity for the federal government to step in and create its own separate bug reward program to take up the slack. Certain government agencies already are buying vulnerabilities and exploits for offensive operations. But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who don't pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks. DHS has a massive budget–a $39 billion request for fiscal 2014–and a tiny portion of that allocated to buy bugs from researchers could have a significant effect on the security of the nation's networks. Once the government buys the vulnerability information, it could then work with the affected vendors on fixes, mitigations and notifications for customers before details are released."

53 comments

  1. You can trust the government. by Anonymous Coward · · Score: 1

    No way they are going to buy these vulnerabilities and use them to spy on Americans or weaponize them.

    This week on Dog the Bug Bounty Hunter.... "Youngblood, get my port scanner I got a zero day cornered over here. Freeze motherfucker!"

    1. Re:You can trust the government. by davester666 · · Score: 1

      How much do we get for finding bugs left in our homes and cars by the FBI?

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Write me a new minivan! by Anonymous Coward · · Score: 1

    I hope this drives the right behavior.

    1. Re:Write me a new minivan! by Anonymous Coward · · Score: 0

      This is the government we're talking about. Write yourself a yacht.

  3. Wrong incentive by Anonymous Coward · · Score: 0

    How about holding people responsible for writing bad code and fine them, or allow lawsuits. Engineers who design bridges that fall down sure feel the consequences.

    1. Re:Wrong incentive by lister+king+of+smeg · · Score: 1

      there is a large difference. the expoits in code are generally used as attacks and don't effect the normal use of the code. this would be the equivalent to holding the engineering firms that design the bridge responsible for the terrorist that bombed it.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    2. Re:Wrong incentive by TheCarp · · Score: 1

      Wouldn't it be more relevant to consider what happens to engineers who design bridges that collapse when someone blows them up? That would be a more relevant comparison. Pretty sure they get contracts to design replacement bridges.

      --
      "I opened my eyes, and everything went dark again"
    3. Re:Wrong incentive by ShanghaiBill · · Score: 2

      How about holding people responsible for writing bad code and fine them, or allow lawsuits.

      That would immediately end the free software movement. No more Linux. No more gcc. No more Firefox ...

      Commercial software would become far more expensive and have far fewer features.

      There would be a black market in cheap "as is" software written by anonymous authors and hosted offshore.

    4. Re:Wrong incentive by Minwee · · Score: 1

      this would be the equivalent to holding the engineering firms that design the bridge responsible for the terrorist that bombed it.

      If the terrorist was able to bring down the bridge using three toothpicks, an ice cube tray and a plastic whistle that he found inside a cereal box, then yes I would hold the engineers responsible.

    5. Re:Wrong incentive by h4rr4r · · Score: 1

      Why?

      It would be simple to only allow liability up to the cost of the software. That would provide incentive to commercial folks to fix their software and not overly burdon FOSS software.

    6. Re:Wrong incentive by ShanghaiBill · · Score: 1

      It would be simple to only allow liability up to the cost of the software. That would provide incentive to commercial folks to fix their software and not overly burdon FOSS software.

      Except that most FOSS isn't written for free. Companies pay people to write the code. If a company pays you to write a new device driver for Linux, and it turns out there is a bug, they you are liable for your full salary in government fines. Right? What programmer would work under those conditions? The company that paid you would, of course, have no liability, because they gave the software away for free (only charging for the hardware device).

    7. Re:Wrong incentive by h4rr4r · · Score: 1

      The company would sue you/fine you?
      The end user did not pay, so he has no one to sue/fine. I would assume you would have in your contract that the company cannot hold your responsible. Companies are generally responsible for the actions of their employees.

  4. Public Debt - Privativing Profits by Anonymous Coward · · Score: 0

    So now we are going to support companies by buying their vulnerabilities for them?

    1. Re:Public Debt - Privativing Profits by kasperd · · Score: 3, Insightful

      So now we are going to support companies by buying their vulnerabilities for them?

      It is worse than that. It is essentially rewarding companies for not taking security seriously.

      There is software backed by companies which do offer a bug bounty, and there is software backed by companies which offer no bug bounty. Having a bug bounty for more software is desirable. But having government pay it for those companies, who do not pay it themselves, is not the proper solution. A much better solution would be that whenever the government buys software, it will primarily buy from companies, which do offer a bug bounty.

      This will mean the software being bought is more likely to be secure. Additionally it will put a force on the market, driving it in the right direction.

      The only situation where the government should be paying any bug bounties, is when the bugs are in software or services offered by the government. For example it could apply to security problems found in government websites. But if those products are bought from private companies in the first place, it should be made part of the contract, that the vendor will pay the bug bounty and fix the bug.

      --

      Do you care about the security of your wireless mouse?
  5. Found step 2 by Anonymous Coward · · Score: 0

    1. Write flawed buggy code, still useful enough for wide adoption. Possibly with flaws caused by extremely unlikely inputs.
    2. "Research" said flaws and notify US-CERT, obtaining bug bounty.
    3. Profit

  6. fuck that by Anonymous Coward · · Score: 0

    they'll just turn around and use them against us without disclosing to the general public

  7. Bad idea by Raul654 · · Score: 2

    This is essentially a government subsidy to software companies that produce crappy code.

    Look at Walmart. it pays its employees so little money that they have to use government assistance like foodstamps and medicare. Walmart shareholders reap the benefit, and the public is left taking care of their employees.

    Here's a better idea - if a company is making software that's critical to national infrastructure, make them liable for any bugs that occur (and for smaller companies, require them to carry insurance up to a certain level of liability).

    --


    To make laws that man cannot, and will not obey, serves to bring all law into contempt.
    --E.C. Stanton
    1. Re:Bad idea by Raul654 · · Score: 1

      Correction: I meant to said medicaid (which is for poor people), not medicare (which is for the elderly).

      --


      To make laws that man cannot, and will not obey, serves to bring all law into contempt.
      --E.C. Stanton
    2. Re:Bad idea by Minwee · · Score: 4, Insightful

      This is Walmart. Their employees are eligible for both.

    3. Re:Bad idea by ShanghaiBill · · Score: 1

      Here's a better idea - if a company is making software that's critical to national infrastructure, make them liable for any bugs that occur

      If someone implemented your idea a few decades ago, there would be no vulnerabilities today ... because the Internet, the World Wide Web, etc. would have never been created.

    4. Re:Bad idea by kamelkev · · Score: 1

      Agreed. Reminds me of Scott Adams' famous "Write me a new minivan" Dilbert comic:

      http://search.dilbert.com/comic/Write%20Minivan

      The only viable solution is to assert a cost to the providers of the software. If said cost is linked to such a bounty program, all the better - but you clearly cannot create a scenario in which writing bad code somehow ends up benefiting the software producers.

    5. Re:Bad idea by Raul654 · · Score: 1

      That's just not true. The internet and world wide web both existed in the early 90s, and neither was critical to national infrastructure at the time.

      --


      To make laws that man cannot, and will not obey, serves to bring all law into contempt.
      --E.C. Stanton
    6. Re:Bad idea by ShanghaiBill · · Score: 1

      That's just not true. The internet and world wide web both existed in the early 90s, and neither was critical to national infrastructure at the time.

      So then as soon as they became critical, the original authors would have to assume billions in liability? Or would software be exempted if it was not critical at the time it was written? So the liability would only apply to things that were "critical" before they existed? It sounds to me like this hasn't been thought through very well.

    7. Re:Bad idea by h4rr4r · · Score: 1

      It is worse than that.
      Walmart actually teaches its employees how to file for these benefits and markets these programs to them actively.

    8. Re:Bad idea by Raul654 · · Score: 1

      It would be fairly easy to have DHS come up with a list of things (physical locations, services, etc) to designate as critical to national infrastructure. In fact, I'd be shocked if they don't already have such a list already.

      The organization that runs these these locations/services would have to build into all of their software contracts a liability clause.

      Problem solved.

      --


      To make laws that man cannot, and will not obey, serves to bring all law into contempt.
      --E.C. Stanton
    9. Re:Bad idea by ShanghaiBill · · Score: 1

      The organization that runs these these locations/services would have to build into all of their software contracts a liability clause.

      Problem solved.

      Except the problem isn't solved. Our infrastructure is already underfunded. Making all the software cost ten times as much isn't going to help that. Every upgrade will also need new liability clauses and legal review. So upgrades will be less frequent, and our most critical infrastructure will be running the oldest and crappiest code, often written by companies that no longer exist because they were sued into bankruptcy. The military already learned this lesson: they found that the extremely expensive "mil-spec" software was their least reliable, and cheap COTS (commercial off the shelf) was far more cost effective.

    10. Re:Bad idea by thoth · · Score: 1

      There's a couple of logic holes here.
      First, who wrote that mil-spec software? Was it a contractor or private corporation? Ah, so the real blame on unreliable expensive software is with some private corporation, not the government, right?
      As for COTS being more effective, that's great assuming the critical infrastructure can be run on COTS.

      As far as this bug bounty, it is a terrible idea. Sorry corporate America, if you want to keep your code private and reap the corresponding profits, you also get to assume the expense of fixing it and various liabilities if applicable. If your stuff isn't fit for infrastructure, then you get cut out of the bidding/purchase process entirely and replaced with some entity that is willing to. You don't get to socialize the cost of your bugs and private the profits, that's total bullshit.

      I would only support this bug bounty for open source software, whereby the bugs and fixes are usable by anyone that wants to.

    11. Re:Bad idea by socode · · Score: 1

      If it was mil-spec, there should have been a pretty stringent acceptance process. Why would anyone sign up to unlimited liability?
      -there was an agreed spec
      -the client set the acceptance criteria
      -they delivered what was in the spec
      -triggering acceptance finalizes the contract and their liability is limited

  8. The code that really matters by game+kid · · Score: 1

    Will there be a bug bounty program for our codes of law, or do I still have to be in a corporation and pay them for my fixes?

    --
    You can hold down the "B" button for continuous firing.
    1. Re:The code that really matters by rodarson2k · · Score: 1

      That was my first thought. Why can't we point out loopholes in the tax code and get a portion of the proceeds from tightening the legal code?

      Why can't we interface prosecutorial databases and law books to find statutes that haven't been enforced in several decades & argue for their dismissal?

      Actually, that would make a pretty fun platform when it comes to running for an elected office.
            Find useless red tape & I'll work to eliminate it. Find tax loopholes & I'll close them.
            Show me the government's waste & i'll trim the fat. Go go crowd government.

  9. reward bail money ? by WillgasM · · Score: 3, Funny

    Is the reward money enough to get me out of federal prison when I'm arrested for unauthorized access?

  10. Too easily abused by Billy+the+Mountain · · Score: 1

    Some software authors would intentionally create bugs that their accomplices would then "discover".

    --
    That was the turning point of my life--I went from negative zero to positive zero.
  11. Ugh by thoth · · Score: 1

    This sounds like a terrible idea. There are times the government should get involved in something, and time they shouldn't. This is one of those times they shouldn't.

    It isn't the charter of any federal agency to shore up the products of private corporations. Corporations should be doing that anyway, and under the typical free market is awesome attitude most users here have, the expense of paying for bug discovery and fixes should factor into the corporation's pricing, profits, potential liability (haha) and so on. If the government starts picking up the tab, corporations will just quit doing their own QA.

    Citizen's now have to pay so Microsoft can fix it's product? Don't they make billions of profit every quarter? How about investing some of that into... I don't know... better development and QA??

    Plus, with the government offering a bounty, that effectively means the people wind up paying for fixes for products they many not use.

    This is just more corporate welfare for irresponsible/lazy ones that are unwilling to properly invest in security.

  12. Jail Time / Recruitment by Baby+Duck · · Score: 1

    When you find the bug, they are just going to throw you in jail like they do with other vulnerability exposers. Then they'll offer you an out - be employed by them permanently at crap wages to avoid prison time.

    --

    "Love heals scars love left." -- Henry Rollins

    1. Re:Jail Time / Recruitment by idontgno · · Score: 1

      Kinda like Snake Plisskin, except without the the tattoo, the eyepatch, the stealth glider, the weapons, or the general bad-assedness. Like Snake without the cool stuff. A nerd Snake.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  13. Why? by TubeSteak · · Score: 1

    But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who donâ(TM)t pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks.

    Why should the government subsidize these businesses?
    I wouldn't have a problem with it if the program was revenue neutral, meaning the companies had to pay the government to essentially run a bug program for them.

    Alternatively, instead of the carrot, how about the stick?
    Penalize companies that refuse to implement secure design/coding practices and penalize them separately if their hardware/software comes out insecure.

    --
    [Fuck Beta]
    o0t!
  14. Dilbert invented this program by Anonymous Coward · · Score: 0

    He and Wally made a fortune. Nuff said

  15. So I recently quit smoking. by Anonymous Coward · · Score: 0

    And I've been getting fat. Decreased metabolism is a terrible thing, and as an IT worker, I sit in a chair all day.

    Perhaps this is an opportunity for the government to step in and pay me $150k/year so I can quit my job and exercise.

    Sure, this idea is absolutely fucking stupid. Just like the one proposed by TFA. Call your Congressman today and demand they give me free money.

  16. Why not just give our tax dollars away? by h4rr4r · · Score: 2

    Instead of this why not just give our tax dollars away to big vendors?

    A simple tax giveaway would be cheaper to administer and have the same end result.

    Why in the world is this even an option?

  17. God only knows by Impy+the+Impiuos+Imp · · Score: 1

    I'd like to report a bug. I submit my taxes online, but don't get refund checks. Instead I keep getting certified nastygrams.

    Clearly there's some major flaw going on.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  18. Good Idea, for some things by Anonymous Coward · · Score: 0

    Make it legal to look for vulnerabilities in critical infrastructure systems such as power, water, defense contractors, electricity, government departments, banks. If it's a significant flaw the company's CEO gets financially dinged.

  19. So the flipside of the argument is by GoodNewsJimDotCom · · Score: 1

    If Homeland Security said,"It is okay, attack our servers, our power grid, and other infrastructure. We'll pay you if you find a vulnerability." Then they can't just haul you to jail if you attempt it. I always thought,"Don't mess with the stuff to begin with" was a significant deterrent for most people. Now, you might say,"Fix it before an enemy of the state uses it for true detrimental means", well then you'd have to argue with brass who have to admit they were wrong all along.

    --
    God spoke to me
  20. I'm innocent! by frovingslosh · · Score: 1

    What? You say that you caught me breaking into the CIA, FBI, the White House and another unnamed three letter agency? Naw, I was just participating in the Government sanctioned Bug Bounty Program. Proudly helping my country protect itself from evil-doers. If you don't believe that then I declare a fatwa on you and I want my Imam, I mean Lawyer.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  21. Government Bug #1 by BozoForPresident · · Score: 1

    Complete lack of voluntary support - as expounded upon by Marc Stevens (http://lrn.fm/shows/#NSP), Stephen Molyneux (http://freedomainradio.com/), Larken Rose (http://www.larkenrose.com/)... Oh yeah, and Lysander Spooner (https://en.wikipedia.org/wiki/Lysander_Spooner)

  22. Maybe, maybe not by Ol+Olsoc · · Score: 1
    In cases of murder, the first thing the police do is investigate the spouse, especially if they are the one who say, came home and discovered their wife had been killed. They are considered the initial suspect.

    I would be surprised if anyone who reported a bug wasn't likewise investigated to see what they might have done right after they discovered it. Seems like a person would be opening themselves up to some possible grief doing this.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  23. oh, wonderful by stenvar · · Score: 1

    Now companies create crappy software with bugs, and then get government subsidized software security testing.

  24. No way by Anonymous Coward · · Score: 0

    Given the reactions of vendors I have reported issues to in the past, even in the absence bug bounties, there is no amount of money that would encourage me to report bugs to government entities. Mozilla's great, but try telling a smaller company (e.g. doing road tolls) that they've got insecure direct object references in their customer web interface and watch the fuckers lawyer-up.

  25. Incitation by manu0601 · · Score: 1

    If I understand correctly, this is about government doing bug bounty programs for vendors that do not? That looks like an incitation for vendors to not do it, since government will. Except of course if we introduce a tax on vendors that do not have bug bounty programs.

  26. Law instead by Anonymous Coward · · Score: 0

    Enforce that all proprietary software distributed at large to customers, must have bounty programs paid by the owner company,
    to a specific percentage of sales or profit ratio or some minimum or maximum range.

  27. Open Source Project Improvement Fund by edoceo · · Score: 1

    There is a bug bounty system for FOSS projects at http://ospif.org/ - which is designed to reward improvements to Open Source projects.

  28. Never happen by rhizome · · Score: 1

    The US Government will never allow a random citizen leverage over it, nor to provide for any obligation to that citizen due to the help they've contributed (ask many veterans).

    --
    When I was a kid, we only had one Darth.
  29. publishing business? by chrismcb · · Score: 1

    Is the government going into the software publishing business? No? Then why should the government be paying for other corporations mistakes. If anything they should be fining the corporations. Giving the corporations more incentive to find bugs.
    We don't need to be finding a way for DHS to spend more money, we need to find a way to get rid of DHS.

  30. Dilbert test-How to tell if it's is a bad idea by Anonymous Coward · · Score: 0

    If an idea has already been parodied by Dilbert in the 1990s, it's a bad idea today.