Slashdot Mirror
The Case For a Government Bug Bounty Program
Trailrunner7 writes "Bug bounty programs have been a boon for both researchers and the vendors who sponsor them. From the researcher's perspective, having a lucrative outlet for the work they put in finding vulnerabilities is an obvious win. Many researchers do this work on their own time, outside of their day jobs and with no promise of financial reward. The willingness of vendors such as Google, Facebook, PayPal, Barracuda, Mozilla and others to pay significant amounts of money to researchers who report vulnerabilities to them privately has given researchers both an incentive to find more vulnerabilities and a motivation to not go the full disclosure route. This set of circumstances could be an opportunity for the federal government to step in and create its own separate bug reward program to take up the slack. Certain government agencies already are buying vulnerabilities and exploits for offensive operations. But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who don't pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks. DHS has a massive budget–a $39 billion request for fiscal 2014–and a tiny portion of that allocated to buy bugs from researchers could have a significant effect on the security of the nation's networks. Once the government buys the vulnerability information, it could then work with the affected vendors on fixes, mitigations and notifications for customers before details are released."
No way they are going to buy these vulnerabilities and use them to spy on Americans or weaponize them.
This week on Dog the Bug Bounty Hunter.... "Youngblood, get my port scanner I got a zero day cornered over here. Freeze motherfucker!"
I hope this drives the right behavior.
This is essentially a government subsidy to software companies that produce crappy code.
Look at Walmart. it pays its employees so little money that they have to use government assistance like foodstamps and medicare. Walmart shareholders reap the benefit, and the public is left taking care of their employees.
Here's a better idea - if a company is making software that's critical to national infrastructure, make them liable for any bugs that occur (and for smaller companies, require them to carry insurance up to a certain level of liability).
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
Will there be a bug bounty program for our codes of law, or do I still have to be in a corporation and pay them for my fixes?
You can hold down the "B" button for continuous firing.
Is the reward money enough to get me out of federal prison when I'm arrested for unauthorized access?
Some software authors would intentionally create bugs that their accomplices would then "discover".
That was the turning point of my life--I went from negative zero to positive zero.
This sounds like a terrible idea. There are times the government should get involved in something, and time they shouldn't. This is one of those times they shouldn't.
It isn't the charter of any federal agency to shore up the products of private corporations. Corporations should be doing that anyway, and under the typical free market is awesome attitude most users here have, the expense of paying for bug discovery and fixes should factor into the corporation's pricing, profits, potential liability (haha) and so on. If the government starts picking up the tab, corporations will just quit doing their own QA.
Citizen's now have to pay so Microsoft can fix it's product? Don't they make billions of profit every quarter? How about investing some of that into... I don't know... better development and QA??
Plus, with the government offering a bounty, that effectively means the people wind up paying for fixes for products they many not use.
This is just more corporate welfare for irresponsible/lazy ones that are unwilling to properly invest in security.
When you find the bug, they are just going to throw you in jail like they do with other vulnerability exposers. Then they'll offer you an out - be employed by them permanently at crap wages to avoid prison time.
"Love heals scars love left." -- Henry Rollins
But the opportunity here is for an organization such as US-CERT, a unit of the Department of Homeland Security, to offer reasonably significant rewards for vulnerability information to be used for defensive purposes. There are a large number of software vendors who donâ(TM)t pay for vulnerabilities, and many of them produce applications that are critical to the operation of utilities, financial systems and government networks.
Why should the government subsidize these businesses?
I wouldn't have a problem with it if the program was revenue neutral, meaning the companies had to pay the government to essentially run a bug program for them.
Alternatively, instead of the carrot, how about the stick?
Penalize companies that refuse to implement secure design/coding practices and penalize them separately if their hardware/software comes out insecure.
[Fuck Beta]
o0t!
there is a large difference. the expoits in code are generally used as attacks and don't effect the normal use of the code. this would be the equivalent to holding the engineering firms that design the bridge responsible for the terrorist that bombed it.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Wouldn't it be more relevant to consider what happens to engineers who design bridges that collapse when someone blows them up? That would be a more relevant comparison. Pretty sure they get contracts to design replacement bridges.
"I opened my eyes, and everything went dark again"
How about holding people responsible for writing bad code and fine them, or allow lawsuits.
That would immediately end the free software movement. No more Linux. No more gcc. No more Firefox ...
Commercial software would become far more expensive and have far fewer features.
There would be a black market in cheap "as is" software written by anonymous authors and hosted offshore.
this would be the equivalent to holding the engineering firms that design the bridge responsible for the terrorist that bombed it.
If the terrorist was able to bring down the bridge using three toothpicks, an ice cube tray and a plastic whistle that he found inside a cereal box, then yes I would hold the engineers responsible.
Instead of this why not just give our tax dollars away to big vendors?
A simple tax giveaway would be cheaper to administer and have the same end result.
Why in the world is this even an option?
I'd like to report a bug. I submit my taxes online, but don't get refund checks. Instead I keep getting certified nastygrams.
Clearly there's some major flaw going on.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
If Homeland Security said,"It is okay, attack our servers, our power grid, and other infrastructure. We'll pay you if you find a vulnerability." Then they can't just haul you to jail if you attempt it. I always thought,"Don't mess with the stuff to begin with" was a significant deterrent for most people. Now, you might say,"Fix it before an enemy of the state uses it for true detrimental means", well then you'd have to argue with brass who have to admit they were wrong all along.
God spoke to me
What? You say that you caught me breaking into the CIA, FBI, the White House and another unnamed three letter agency? Naw, I was just participating in the Government sanctioned Bug Bounty Program. Proudly helping my country protect itself from evil-doers. If you don't believe that then I declare a fatwa on you and I want my Imam, I mean Lawyer.
I'm an American. I love this country and the freedoms that we used to have.
Complete lack of voluntary support - as expounded upon by Marc Stevens (http://lrn.fm/shows/#NSP), Stephen Molyneux (http://freedomainradio.com/), Larken Rose (http://www.larkenrose.com/)... Oh yeah, and Lysander Spooner (https://en.wikipedia.org/wiki/Lysander_Spooner)
Why?
It would be simple to only allow liability up to the cost of the software. That would provide incentive to commercial folks to fix their software and not overly burdon FOSS software.
It is worse than that. It is essentially rewarding companies for not taking security seriously.
There is software backed by companies which do offer a bug bounty, and there is software backed by companies which offer no bug bounty. Having a bug bounty for more software is desirable. But having government pay it for those companies, who do not pay it themselves, is not the proper solution. A much better solution would be that whenever the government buys software, it will primarily buy from companies, which do offer a bug bounty.
This will mean the software being bought is more likely to be secure. Additionally it will put a force on the market, driving it in the right direction.
The only situation where the government should be paying any bug bounties, is when the bugs are in software or services offered by the government. For example it could apply to security problems found in government websites. But if those products are bought from private companies in the first place, it should be made part of the contract, that the vendor will pay the bug bounty and fix the bug.
Do you care about the security of your wireless mouse?
It would be simple to only allow liability up to the cost of the software. That would provide incentive to commercial folks to fix their software and not overly burdon FOSS software.
Except that most FOSS isn't written for free. Companies pay people to write the code. If a company pays you to write a new device driver for Linux, and it turns out there is a bug, they you are liable for your full salary in government fines. Right? What programmer would work under those conditions? The company that paid you would, of course, have no liability, because they gave the software away for free (only charging for the hardware device).
I would be surprised if anyone who reported a bug wasn't likewise investigated to see what they might have done right after they discovered it. Seems like a person would be opening themselves up to some possible grief doing this.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Now companies create crappy software with bugs, and then get government subsidized software security testing.
If I understand correctly, this is about government doing bug bounty programs for vendors that do not? That looks like an incitation for vendors to not do it, since government will. Except of course if we introduce a tax on vendors that do not have bug bounty programs.
There is a bug bounty system for FOSS projects at http://ospif.org/ - which is designed to reward improvements to Open Source projects.
The US Government will never allow a random citizen leverage over it, nor to provide for any obligation to that citizen due to the help they've contributed (ask many veterans).
When I was a kid, we only had one Darth.
Is the government going into the software publishing business? No? Then why should the government be paying for other corporations mistakes. If anything they should be fining the corporations. Giving the corporations more incentive to find bugs.
We don't need to be finding a way for DHS to spend more money, we need to find a way to get rid of DHS.
The company would sue you/fine you?
The end user did not pay, so he has no one to sue/fine. I would assume you would have in your contract that the company cannot hold your responsible. Companies are generally responsible for the actions of their employees.