The Case For a Global, Compulsory Bug Bounty

tsu doh nimh writes "Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products. Stefan Frei, director of research at NSS Labs, suggests compelling companies to purchase all available vulnerabilities at above black-market prices, arguing that even if vendors were required to pay $150,000 per bug, it would still come to less than two-tenths of one percent of these companies' annual revenue (PDF). To ensure that submitted bugs get addressed and not hijacked by regional interests, Frei also proposes building multi-tiered, multi-region vulnerability submission centers that would validate bugs and work with the vendor and researchers. The questions is, would this result in a reduction in cybercrime overall, or would it simply hamper innovation? As one person quoted in the article points out, a majority of data breaches that cost companies tens of millions of dollars have far more to do with other factors unrelated to software flaws, such as social engineering, weak and stolen credentials, and sloppy server configurations."

Good idea...

[jddeluxe]

Good luck getting many of the software corporations to sign up for this...

Re:Good idea...

[jythie]

Well, if we were going to be in favor of this, I could see a company's underwriters requiring such a system or perhaps offering it as an insurance package.

Re:Good idea...

[smooth+wombat]

It means you get to jail/fine any software companies who don't sign up for it,

And good luck getting a company to pay a fine. Or is this like the UACA where the government will reach into your bank account if you don't voluntarily hand over your money to private companies?

If you're trying to stifle companies and drive them out of business, or make them go elsewhere, this is a good way to do it.

But I guess living in your nanny state, that's the only way to get companies to produce better code.

Re:Good idea...

[mlts]

What will happen is that companies will spawn off sub-contractors which do all the coding and are completely offshore entities.

For example, foocorp spawns off ABC Coders. ABC Coders just does business in one country, selling and maintaining its codebase to foocorp. Foocorp is just a customer, so if a government demands a bug bounty, they would have to go upstream to ABC Coders, and since ABC Coders does not do international business, they can give other nations the middle finger when it comes to their regulations.

Re:Good idea...

[ultranova]

You know what "compulsory" means? It means you get to jail/fine any software companies who don't sign up for it, so I don't think much luck will be needed.

So in other words, this is about killing off independent developers. Only companies who can afford $156,000 per bug will be able to distribute programs. Free software will, of course, die overnight.

So... Apple or Microsoft?

Silly

[Nerdfest]

This is silly. Allit would do it force black markey prices up and push smaller companies out of business. It would probably also raise insurance rates for software companies and the cost of software in general. Of course, it would laso probably push up the rates for competent software developers.

That's absurd

[DarkFencer]

That is an absurd argument. Yes some companies can and should offer bug bounties but if the only method you can rely on is out bidding the black market, then you've already lost.

Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.

Re:That's absurd

[Obfuscant]

Not to mention, there are a lot of small companies, small foundations, and open source projects which could never afford such prices.

Who pays when a bug is found in the Linux kernel?

Kill all startups

[mwvdlee]

I work for a startup. Not one of those few heavily-funded startups, but a regular startup with barely enough funding to scrape by in the first few years. Like most startups.

$150,000 is just ever so slightly more than two-tenths of one percent of my startup's annual revenue.

Asking an average startup to pay $150,000 for a security bug is like asking security researchers to work for $0.10 an hour.

Re:Kill all startups

$150,000 is double the annual revenue of many smaller non american companies. (Think smaller companies with only two or three programmers - where a lot of the more useful/interesting software of the world comes from)
Forcing something like this would be a disaster.

Re:Kill all startups

[swillden]

I don't think this would be so problematic for startups. They'd just end up buying insurance, the same way they insure a lot of other things. And the insurance companies would not only spread the risk, but they'd also actively require companies to mitigate the risk, by doing the right kinds of security reviews. Further, they'd almost certainly end up pricing the premiums differently based on the degree of risk posed by the software. If a startup is building a product that, if exploited, could lead to billions of dollars in damages, then the premiums will be higher and the security practices required to bring them down will be much stiffer. On the other hand, if your startup is building the latest twitterbot, the risks are pretty low.

The bigger impact to startups would be in agility, not financial, I think. Particularly for startups building software that could be used to compromise high-value targets (or large numbers of low-value targets). But I don't think that's actually a bad thing. Some areas should innovate more slowly and cautiously, because they're risky.

I think the bigger problem is how to combine white and black markets in a reliable and trustworthy way.

Re:Kill all startups

[Wycliffe]

The only way the insurance would be reasonable would be if the bug bounty was not a fixed price. I.e. If I have
1000 customer's credit card numbers then the bug wouldn't be worth near as much as if I had 100000 customers.
But how do you do that with opensource software or does the company running it hold the responsibility?
Also, if we are basing it on the "street value" of the bug then it still becomes insane. So if I find a bug that could
cost microsoft $10M and the street value is 50 cents on the dollar then microsoft has to give me 5 million dollars
for finding it? That's probably worse than just waiting and letting it happen which is never going to be 100% and has
at least some chance of recovering or mitigating the loss.

Re:Kill all startups

[swillden]

How is the price of this insurance going to be determined for a company that just came into existence? There's no track record that can be used to establish the relative risk for producing bugs.

The nature of the software should provide a good basis for estimating potential damage (e.g. avionics control system vs twitterbot), and the tools and development processes used should provide a good basis for estimating risk of vulnerabilities. Indeed, much as I hate to admit it, the software industry could probably benefit from the level of rigor that insurance actuaries would apply, to both damage estimation and development methodology evaluation.

Re:Kill all startups

[swillden]

The only way the insurance would be reasonable would be if the bug bounty was not a fixed price.

Yes, that's the idea. Bug bounties would be set by the value of the vulnerabilities on the black market, so the prices would vary depending on the nature of the bug and the target. I'm doubtful that such a market would work, but if you assume that part of it does, then insuring against it would work well.

That's probably worse than just waiting and letting it happen which is never going to be 100% and has at least some chance of recovering or mitigating the loss.

Yes, that's the nature of insurance. If the actuaries do their jobs right, insurance is always, in aggregate and in the long run, a losing proposition. If you can afford the potential hit, you should not buy insurance. But insurance makes a lot of sense in cases where the probability of catastrophic loss is relatively low but the impact is, well, catastrophic.

Re:Kill all startups

[Splab]

Yeah, heres an idea, create a company, get insurance, create bug riddled code, get someone else to turn them in and profit...

This makes about as much sense as having firefighters paid on accord.

Clickbait

[SteveFoerster]

This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.

Re:Clickbait

[Akratist]

This idea is so ridiculous, I can't imagine it's not simply clickbait. And thanks to Slashdot editors, it worked.

Sadly, bad ideas have a way of becoming policy and law, especially when special interests and lobbyists get involved.

Re:Great way to kill off small players

[fche]

Regulations often benefit the entrenched regulated against the newcomer competitor.

Go fucking fuck your fucking self, fucking fuckup

This guy wants to force all companies to buy something this guy's company would indubitably directly financially benefit from.

From their website:

"Our unique team of world-class security analysts have led the IT research and testing communities in providing the right information IT decision-makers need to be secure. Let us help your business make better, informed security decisions."

Way to create a market for yourself ! You go ! If you can't drum up business through providing value, head to Congress and force people to give you money. It's the American way.

Everything old is new again!

I recall an old story I heard in my early days of programming. A company offered a monthly bonus to its testers for each bug found in its code. Guess what happened? The testers made deals with the programmers for a cut of the action so the programmers created bugs and let the testers know where/what they were. Now, I guess we just have to scale this out a bit more and viola...here is the story on Slashdot! THANKS!

Not all security bugs are equal.

[jellomizer]

The real problem is the assumption that all security glitches are equally bad.
Sure at Hack-a-thons we see impressive I can break into this computer in under 5 minutes, however this is often in a controlled environment. Where they can pick and choose what services that they want on, assume that a lot of people hook their PC's up to Raw internet. And a bunch of businesses do this too.

Now if there is a flaw on the World facing features such as a Web Browser or SSH client, yes that is serious. But if it is a flaw that says allow for local vulnerabilities, that is much different.

To try to make market for these, means companies will have to pay for and fix things in the wrong priority.

Targeted at larger companies...

[Stolpskott]

...that kind of scale could work.
For a bounty of $150,000 to be "less than two-tenths of 1% of those companies' annual revenue" (I am assuming that is each company's annual revenue calculation, not a global pool), that suggests the model is aimed at companies with >$75M annual revenue.
Newsflash for the paper authors... there are not many software development companies in that ballpark. Granted, the smaller the company, (probably) the smaller the market for their software so the smaller the need for such a bug bounty.
But if companies are going to be "compelled" to buy bug reports, that is going to require federal legislation which is not good at such fine-tuned work, especially after 150 groups of lobbyists have crafted their specific amendments to it, at which point companies will shift development efforts offshore, causing the federal legislation to be retargeted at company head-office location or companies whose software is used within the country, and a legal dance to get around the legislation begins, assuming software dev houses do not simply say their software cannot legally be used within USA.

not bounties...

[Fubari]

Mandatory bounties is the wrong way to go; it reminds me of this: http://dilbert.com/strips/comic/1995-11-13/. An approach like TFA advocates would have an underground economy in bug fixes spring up and wouldn't solve real zero day. Instead...

Allowing users to recover damages seems more suitable; a "zero day" class action suit or two would result in tremendous advances in best practices for security and qa (aspects of software development that, for some odd reason, just don't seem to get much funding today). By 'allowing' I mean changing software licensing so that verbiage like '...AS-IS WITHOUT RECOURSE TO RECOVER ANY LOSSES OR DAMAGES, DIRECT OR INDIRECT...' no longer holds.

Which is a pretty huge change, and a number of interests would lobby against that. So I expect it will take a pretty severe incident (e.g. loss of life, or maybe a loss of significant money) to shock existing legislation and treaties (it would have to be global; hello WTO) sufficiently to encourage change. By "significant" I mean larger than the multi-billion dollar loss 'estimates of global damage from cybercrime' cited in TFA. That "cost" isn't nearly enough to change behavior, especially when you average it out across the world population.

In order for this to work we need 2 things

[wiredog]

A ban on "free" or "open sourced" software that doesn't have a corporation behind it. And a legal requirement that software only be produced by licensed and bonded "software engineers".

Nonsense

[vinsci]

That suggestion makes no sense at all, considering that governments are paying to insert seurity bugs either by ordering the companies to do so or by infiltration of the developer team.