Slashdot Mirror
The Case For a Global, Compulsory Bug Bounty
tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."
Good luck getting many of the software corporations to sign up for this...
This is silly. Allit would do it force black markey prices up and push smaller companies out of business. It would probably also raise insurance rates for software companies and the cost of software in general. Of course, it would laso probably push up the rates for competent software developers.
slashdot, news for fucking bastards, stuff thats fucked up the ass.
The problem with this sort of program is the same problem that no amount of vulnerability fixing will ever address -- the human factor. Just as social engineering is probably the biggest weakness with most systems, something like this is going to be gamed by people who figure out how to profit from a program that companies are forced to participate in.
That is an absurd argument. Yes some companies can and should offer bug bounties but if the only method you can rely on is out bidding the black market, then you've already lost.
Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.
I work for a startup. Not one of those few heavily-funded startups, but a regular startup with barely enough funding to scrape by in the first few years. Like most startups.
$150,000 is just ever so slightly more than two-tenths of one percent of my startup's annual revenue.
Asking an average startup to pay $150,000 for a security bug is like asking security researchers to work for $0.10 an hour.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Srsly?... Global bug bounty? IMDB
This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.
Space game using normal deck of cards: http://BattleCards.org
This sounds like an excellent way to completely kill off all small companies, only the big players like Microsoft and Oracle will be left, prices will skyrocket.
People whould really think through what they are asking for, or is it that they have thought it through i.e. Is it actually the Microsofts of the world pushing for this?
This guy wants to force all companies to buy something this guy's company would indubitably directly financially benefit from.
From their website:
"Our unique team of world-class security analysts have led the IT research and testing communities in providing the right information IT decision-makers need to be secure. Let us help your business make better, informed security decisions."
Way to create a market for yourself ! You go ! If you can't drum up business through providing value, head to Congress and force people to give you money. It's the American way.
I recall an old story I heard in my early days of programming. A company offered a monthly bonus to its testers for each bug found in its code. Guess what happened? The testers made deals with the programmers for a cut of the action so the programmers created bugs and let the testers know where/what they were. Now, I guess we just have to scale this out a bit more and viola...here is the story on Slashdot! THANKS!
The real problem is the assumption that all security glitches are equally bad.
Sure at Hack-a-thons we see impressive I can break into this computer in under 5 minutes, however this is often in a controlled environment. Where they can pick and choose what services that they want on, assume that a lot of people hook their PC's up to Raw internet. And a bunch of businesses do this too.
Now if there is a flaw on the World facing features such as a Web Browser or SSH client, yes that is serious. But if it is a flaw that says allow for local vulnerabilities, that is much different.
To try to make market for these, means companies will have to pay for and fix things in the wrong priority.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
...that kind of scale could work.
For a bounty of $150,000 to be "less than two-tenths of 1% of those companies' annual revenue" (I am assuming that is each company's annual revenue calculation, not a global pool), that suggests the model is aimed at companies with >$75M annual revenue.
Newsflash for the paper authors... there are not many software development companies in that ballpark. Granted, the smaller the company, (probably) the smaller the market for their software so the smaller the need for such a bug bounty.
But if companies are going to be "compelled" to buy bug reports, that is going to require federal legislation which is not good at such fine-tuned work, especially after 150 groups of lobbyists have crafted their specific amendments to it, at which point companies will shift development efforts offshore, causing the federal legislation to be retargeted at company head-office location or companies whose software is used within the country, and a legal dance to get around the legislation begins, assuming software dev houses do not simply say their software cannot legally be used within USA.
Allowing users to recover damages seems more suitable; a "zero day" class action suit or two would result in tremendous advances in best practices for security and qa (aspects of software development that, for some odd reason, just don't seem to get much funding today). By 'allowing' I mean changing software licensing so that verbiage like '...AS-IS WITHOUT RECOURSE TO RECOVER ANY LOSSES OR DAMAGES, DIRECT OR INDIRECT...' no longer holds.
Which is a pretty huge change, and a number of interests would lobby against that. So I expect it will take a pretty severe incident (e.g. loss of life, or maybe a loss of significant money) to shock existing legislation and treaties (it would have to be global; hello WTO) sufficiently to encourage change. By "significant" I mean larger than the multi-billion dollar loss 'estimates of global damage from cybercrime' cited in TFA. That "cost" isn't nearly enough to change behavior, especially when you average it out across the world population.
For a large variety of reasons that have already been explained here, making this mandatory is an idiotic idea. What about making it part of a rating or validation though? Such things are generally voluntary except for safety critical applications.
Yeah that always works well. What is this, socialized medicine?
I want to delete my account but Slashdot doesn't allow it.
Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers
That's a great idea. These 'submission centers' could work directly with vendors to ensure that bugs are fixed in a responsible way so the public isn't harmed. We could call it something like the Total Security Audit or the Time Sensitive Action program or simply TSA for short. I feel safer already.
With one big practical issue, this idea seems fundamentally sound, from an economic perspective. Presumably the black market values the vulnerabilities according to their exploitation potential, which should be related to the value of the software. Currently that may not always be the case, but it should be, even in cases of cyber warfare where the attacker's interest is in doing damage, not stealing money.
Consider, for example, a control system that is used to manage a large electrical power grid. Right now, economics will price the value of that software based on the cost of production, plus sales expenses, transaction costs and a profit margin. If the company buying the software (or its regulators) to run its grid is very conscientious, it may recognize that vulnerabilities could wreak havoc and require some additional security auditing, etc., in which case the necessary security effort would get factored into the price. However, that also may not happen -- especially if the software is some apparently minor, peripheral piece, whose ability to destroy the grid isn't obvious.
But if the maker of the software is responsible for purchasing vulnerabilities, and the value of the vulnerabilities becomes clear to, say, Chinese government hackers looking for ways to attack the power grid, then the security due diligence is likely to be factored in up front. I imagine what will really happen is that software companies will buy insurance against potential vulnerability costs, and insurance companies will quickly become savvy analysts of security risk potentials and secure development process evaluation. Security code reviews may become the equivalent of installing fire suppression systems and building with flame-retardant materials, something everyone does to keep their premiums down.
However, I see one big problem with it: The black market is, by definition, black. Can you get reliable vulnerability valuations out of it? It seems to me that if I have a potentially-serious vulnerability to sell, the first thing I'm going to do is to get some buddies to help bid up the price, with an agreement that we'll split the take. They can bid as much as they like because we all know the company will be required to buy the vulnerability for a slightly higher price. For that matter I can simply claim I have a bidder willing to pay $X, for any X I choose. Given that real black market bidders are going to be very hard to identify, how can anyone say I'm wrong? And if the software company claims I'm lying and refuses to buy, what if they're wrong? And what's to stop them from claiming that all of the other bids are fabrications?
Making this work seems to require an auditable, high-trust marketplace that traffics in illicit goods and has a lot of criminal participants, who are somehow comfortable participating. That seems... rather difficult to achieve. Not impossible, perhaps, but definitely very difficult.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
As an independent developer who is very security aware -- Unit tests + input fuzzing, zero memory access/free errors for release candidates, complete code coverage -- There are still bugs that can sneak in, especially when statically linking against libraries. I remember being bit by libpng -- code I did not write myself and could not hold to as high a standard. Do you charge every dev using libpng? Do I charge libpng devs? Does everyone charge libpng? How am I supposed to know who's fault it is if you don't let me see the bug first? Oh, would you look at that, my next patch will remove the exploit vector anyway, sorry, I don't have to pay your bounty. Do I just go out of business because I can't actually afford to pay black-market prices for a bug targeting a library simply because it's been customized to work against my product? You have the source code, you fucking fix it yourself. I'm not paying for a service I never asked for, just like you don't have to pay for my support service for the codebase.
Another name for bug is programming mistake. I'm making ends meat so that's the level of effort you get: What you pay for. Humans make mistakes and errors will happen since you will not pay what it does take for me to write 100% mathematically verifiability secure code -- I've done so in the past for a few drivers back in the day written in ASM: all possible inputs validated as producing the correct machine state, computers have finite state, and the price of my work reflects the extra development time and energy. You do not value security, so I can not spend the time to secure the code because you will buy a cheaper and less secure service. Compulsory bug bounty? Get ready for a price hike, meanwhile wherever the law doesn't apply will become the new software capital of the world.
Factoring in bug bounty to my expenses means I can't take the risk to release code, might as well close up shop. Look, I hate EULAs as much as the next guy, but I have to have one: You see that indemnity clause? The one that I have to include because even if my code is perfect, your hardware and other software may not be and I can't trust you, a judge or jurors to tell the difference? Yeah, that's what I'll use if there's a mandated compulsory bug bounty. You'll click right through the waiver that says you won't hold me liable for YOUR USE of my software, like you always do -- If you can't take on the responsibility and risk to operate the software, then you don't have permission to use my software. So, read the fine print and it'll say that I'll be billing you the cost of any bug you bill me for, plus my legal expenses. And if you try to sue me over it, well, in America the court will want you to prove damages -- which you can't, because it's YOUR USE of the software that causes risk, not my publishing of it. You don't have to use my code. Even if you manage to not agree to my license and discovered a bug, if you found the bug you can avoid the bug... no damage. Users could just sue crackers for exploiting them -- that'll work so well, eh?
Thank you for downloading from Bug Bounty Isolation Software Inc. -- The corporate shell you'll be trying to charge for software bug bounties, which will file bankruptcy immediately and Bounty Free Software Inc. will then assume the role of distributor. (Just like with patent infringement suits) Rest assured, this will be the 6th time I have rebuilt the BusinessMatrixAdapterFactorySingleton, and I have become exceedingly efficient at instantiating it.
I've got a better idea. Why don't you get everyone to care enough about security first, and run a Kickstarter to get them to fund your bug research efforts? While you're at it, solve the halting problem for me too; Then a mandatory bug bounty will make sense, because it could be provably the result of malice.
A ban on "free" or "open sourced" software that doesn't have a corporation behind it. And a legal requirement that software only be produced by licensed and bonded "software engineers".
Best Slashdot Co
That suggestion makes no sense at all, considering that governments are paying to insert seurity bugs either by ordering the companies to do so or by infiltration of the developer team.
Trusted Computing FAQ | Free Dawit Isaak!
Anytime coercion enters the picture, along come its sibling corruption in every sense of the word.
If your scheme is not popular enough to stand on its own two legs -- if your arguments are not enough to win the day -- propping it up with compulsion is the only recourse left, and it reaps what it's worth.
Infuriate left and right
Instead of having to pay black market prices and force companies to hand over bugs. This would save money and be silent!
NSA claims to have foiled a cataclysmic cyber threat (likely from China) to exploit a BIOS attack.
First off, there are a number of bios manufacturers, not all will have the same bug. Second, there are numerous bugs still existent. And even when known it is extremely hard to get manufacturers to fix them.
This sounds like the NSA found someone in China using an exploit in a BIOS to hack computers. Alerted the manufacturer who was probably already aware of the fact after numerous Linux users had reported it years ago.
http://www.businessinsider.com/nsa-says-foiled-china-cyber-plot-2013-12
...what you SHOULD be lobbying for is reporting and transparency on bug reports made to companies relying on some auditing body (either government or private). Here's the bug, here's a POC on the exploit (the POC code can be kept private). Require companies (or perhaps some third party and/or government board) to do some level of risk assessment on the identified issues - how big an exploit? How hard to use? How easy to fix?.
If the company sits on it, and it gets in the wild, then have some way to penalize them for negligence if they deliberately sit on a known major issue. Track when and how transparently companies provide security warnings to customers/users if there are known issues that are not yet fixed. Allow independent auditing of how many issues of what severity each company has open. Have some independently audited "scoring" of which companies are the most responsive to reported issues, and which ones sit on them. Score who has the most exploits discovered in the wild.
Now you're at least moving in the direction of forcing companies to give a crap about security without giving financial incentives to black hats.
It might make sense if the "mandatory" part was limited to larger players in a given sector. e.g., over 20% market share or something. Certainly, vendors need more incentives to patch bugs, but I'm not sure this is the right way to go about it.
Competition Good, Monopoly Bad.
As a programmer I support this proposal 100%!
http://dilbert.com/strips/comic/1995-11-13/
Enforce and apply existing product liability laws to software.
That way, any bugs that are found become a liability for the company that produced the software.The companies won;t be able to make users sign all their rights away with EULAs, and will actually have to take responsibility for their products.
As a developer, I generally try to *remove* bugs from the software, but for a share of the $150,000, I'm sure I could let something slip through and then tell you where to find it. Dilbert nailed this 18 years ago: http://dilbert.com/strips/comic/1995-11-13/
Imagine a world where you and I could get a bounty for finding building code violations. That could be a full-time occupation, and a lot of people would be going around finding frivolous technical violations just to get the money.
Software isn't any different. There are lots of things that could be considered bugs, that shouldn't deserve a bug bounty. Who is the arbiter of what deserves a bounty and what doesn't?
This is pure BS.
Instead of forcing anything, simply decline to offer copywrite protections on the work.
It's a stupid idea.
systemd is Roko's Basilisk.
1. They'll put the bugs in and tell me where to look.
2. I'll report the bugs.
3. We split the $150,000.
4. ????
5. Profit!
Have gnu, will travel.