Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Bug Bounties the Right Solution For Improving Security?

Posted by timothy on from the 10-bucks-says-they-might-be dept.

saccade.com writes Coding Horror's Jeff Atwood is questioning if the current practice of paying researchers bounties for the software vulnerabilities they find is really improving over-all security. He notes how the Heartbleed bug serves as a counter example to "Linus's Law" that "Given enough eyeballs, all bugs are shallow." "...If you want to find bugs in your code, in your website, in your app, you do it the old fashioned way: by paying for them. You buy the eyeballs. While I applaud any effort to make things more secure, and I completely agree that security is a battle we should be fighting on multiple fronts, both commercial and non-commercial, I am uneasy about some aspects of paying for bugs becoming the new normal. What are we incentivizing, exactly?

58 comments

  1. You buy eyeballs and loyalty. by vidarlo · · Score: 5, Insightful

    NSA is buying security holes to use against us. This is part of what Snowden revealed with the leaks.

    Offering a bounty, even though it is not as much as the security problem could fetch on the grey market, creates a certain loyalty towards the vendor, and makes it easier to go to them, and ensure the hole gets patched. It also attracts more eyeballs to your software, as finding a problem means money. Google has gone even further - by offering grants for research into specific products, where you get money for checking security of the software, not just finding security prolems.

    So I believe it is a good thing; it probably means more holes will be reported directly to the vendor, and not sold for exploit. It probably attracts eyeballs as well...

    --
    Assembling etherkillers for fun an profit
  2. The problem is by Rosco+P.+Coltrane · · Score: 3, Funny

    It pays better to exploit the bugs...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:The problem is by Opportunist · · Score: 2

      Depends on whether you're able to actually monetize it. Exploiting a bug doesn't make money come out of your computer.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:The problem is by Anonymous Coward · · Score: 0

      That's right but not everyone is an asshole. Lots of white hats would get to it first given the opportunity, it just needs to put food on the table.

    3. Re:The problem is by jones_supa · · Score: 1

      It pays better to exploit the bugs...

      Even if a blackhat secretly monetizes a bug, a whitehat can still officially grab the bounty for the same bug.

    4. Re:The problem is by blackraven14250 · · Score: 1

      Do you think everyone only owns one hat?

    5. Re:The problem is by jones_supa · · Score: 1

      No, I don't think. What I said would still apply.

  3. Enough eyeballs and heartbleed ... by QuietLagoon · · Score: 5, Interesting

    ... He notes how the Heartbleed bug serves as a counter example to "Linus's Law" that "Given enough eyeballs, all bugs are shallow."...

    I think the big issue with the Heartbleed bug was that the OpenSSL code base was so egregiously poorly written and maintained that eyeballs started bleeding whenever they looked at it. imo, the OpenSSL code base never had enough eyeballs looking at it to make its bugs shallow. It was painful to look at, so eyeballs avoided looking at it.

    .
    I still think that Linus' Law hold true, or at least is a very good guideline. I think exceptions like the OpenSSL code base are needed to hone the point that Linus' Law makes.

    I also take issue with the headline, as I do not think there is any one right solution for improving security. The improvement of security is a multi-faceted endeavour and an ongoing process.

    1. Re:Enough eyeballs and heartbleed ... by Rosco+P.+Coltrane · · Score: 4, Insightful

      I think the only thing the OpenSSL bug shows is how flimsy the underlying framework of the internet is. Most of the shit we all use, trust and take for granted was coded in someone's basement over the weekend a long time ago. All it takes is one clever guys to take a good look at the code to exploit it, and it's probably fair to say he'll be the only one to review the code ever...

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    2. Re:Enough eyeballs and heartbleed ... by OzPeter · · Score: 3, Interesting

      I think the big issue with the Heartbleed bug was that the OpenSSL code base was so egregiously poorly written and maintained that eyeballs started bleeding whenever they looked at it. imo, the OpenSSL code base never had enough eyeballs looking at it to make its bugs shallow. It was painful to look at, so eyeballs avoided looking at it.

      I agree. Heatbleed is not a counter example, it is simply evidence that the original "Linus's Law" was not complete. A better version of it would be

      Given enough eyeball hours, all bugs are shallow

      With the definition of "enough" being dependent on the complexity of the code in question.

      --
      I am Slashdot. Are you Slashdot as well?
    3. Re:Enough eyeballs and heartbleed ... by jones_supa · · Score: 2

      I think the big issue with the Heartbleed bug was that the OpenSSL code base was so egregiously poorly written and maintained that eyeballs started bleeding whenever they looked at it. imo, the OpenSSL code base never had enough eyeballs looking at it to make its bugs shallow. It was painful to look at, so eyeballs avoided looking at it.

      That's really just speculation.

      So let's everyone ask ourselves this question: how many times do we personally browse open source code, looking for vulnerabilities or other bugs?

      Let me guess that the answer is: I mostly run precompiled binaries, and might rarely take look at a particular small piece of code to solve a specific problem (which I came across by running the binary).

      I suggest that it just is likely that most OSS projects are like OpenSSL: only the core developers take a look at the codebase.

      My solution is that instead of relying on Linus's Law, we should be more thinking about dedicated professional code audits, because those actually work and can be really powerful in improving security. Big commercial shops like Microsoft and Apple already do this in spades internally as part of their QA procedures.

    4. Re:Enough eyeballs and heartbleed ... by QuietLagoon · · Score: 2

      ...So let's everyone ask ourselves this question: how many times do we personally browse open source code...

      "Everyone" does not need to do it. You've set up a premise that fails on face value.

    5. Re:Enough eyeballs and heartbleed ... by jones_supa · · Score: 1

      Ok, good counterargument, but I still suspect that the amount is extremely low outside the main developer team.

      The romantic vision of hackers around the world sitting comfortably next to a fireplace with a ThinkPad and browsing source code in the evening is just a fantasy...

    6. Re:Enough eyeballs and heartbleed ... by Bite+The+Pillow · · Score: 1

      A shallow bug is one that can be fixed, or at least understood and described, quickly, easily, or simply.

      That doesn't mean the bugs will be found, it characterizes what happens after they are found.

      I don't believe Linus' Law has anything to do with the number of bugs *found*, rather bugs *fixed*.

      It is the open source community that says more bugs will be found because anyone can read the source - but then no one reads the source. And then people (mis) understand that Linus' Law somehow means that all bugs will be *found*.

      Your first paragraph is sensible, and then you fell into the trap in the second paragraph. It is still true, and OpenSSL is not an exception - as you said, it did not have enough eyeballs, so it is exactly the point that Linus was making.

    7. Re:Enough eyeballs and heartbleed ... by Bite+The+Pillow · · Score: 2

      A better version of Linus' Law would be the original one.

      So, if rapid releases and leveraging the Internet medium to the hilt were not accidents but integral parts of Linus's engineering-genius insight into the minimum-effort path, what was he maximizing? What was he cranking out of the machinery?

      Put that way, the question answers itself. Linus was keeping his hacker/users constantly stimulated and rewardedâ"stimulated by the prospect of having an ego-satisfying piece of the action, rewarded by the sight of constant (even daily) improvement in their work.

      Linus was directly aiming to maximize the number of person-hours thrown at debugging and development, even at the possible cost of instability in the code and user-base burnout if any serious bug proved intractable. Linus was behaving as though he believed something like this:

              8. Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.

      Or, less formally, ``Given enough eyeballs, all bugs are shallow.'' I dub this: ``Linus's Law''.

      My original formulation was that every problem ``will be transparent to somebody''. Linus demurred that the person who understands and fixes the problem is not necessarily or even usually the person who first characterizes it. ``Somebody finds the problem,'' he says, ``and somebody else understands it. And I'll go on record as saying that finding it is the bigger challenge.'' That correction is important; we'll see how in the next section, when we examine the practice of debugging in more detail. But the key point is that both parts of the process (finding and fixing) tend to happen rapidly.

      http://www.catb.org/~esr/writi...

    8. Re:Enough eyeballs and heartbleed ... by fahrbot-bot · · Score: 1

      8. Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.

      Seems to work for Firefox. Every time there's a N.0.0 release, there's a N.0.1 release in less than a week - every... freaking... time. I'd wish they'd focus on getting things done correctly rather than quickly and churning out new major version numbers.

      --
      It must have been something you assimilated. . . .
    9. Re:Enough eyeballs and heartbleed ... by Anonymous Coward · · Score: 0

      So what? How much worse is it than if nobody were looking? Not at all? Well, there you go, then.

      I guess you won't bother with asprin because it doesn't ALWAYS solve the headaches.

    10. Re:Enough eyeballs and heartbleed ... by jones_supa · · Score: 1

      I wouldn't buy the aspirin if I couldn't be certain that the pill contains aspirin.

    11. Re:Enough eyeballs and heartbleed ... by Anonymous Coward · · Score: 1

      I couldn't agree more. Just last month we learned that NTP is maintained by a single person who does it on his own time and dime (and who could stop any time to look for a paying job). I opened the changelog and there is a lot of ongoing activity, so it's not like the person is just answering the occasional email.

      While I am very much into open source, and I don't blame it for this, I do believe that there is a tendency associated with it to take certain things for granted. That makes some of the biggest pillars of the internet infrastructure shockingly weak.

    12. Re:Enough eyeballs and heartbleed ... by Zero__Kelvin · · Score: 1

      "He notes how the Heartbleed bug serves as a counter example to "Linus's Law" that "Given enough eyeballs, all bugs are shallow."

      He falsely notes that, since Linus' law has absolutely nothing to do with it. He seems to think Linus said: If enough people work on a project, there won't be any bugs.' Linus' Law refer to the ability to track down, understand, and fix a bug once it has been discovered.

      And my first thought when I read the title was in line with yours. What a stupid question. Just as with security, the correct approach is a multi-tiered one. Bug bounties are fine, so long as they are just one of the (hopefully many) ways you are trying to improve your code.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    13. Re:Enough eyeballs and heartbleed ... by QuietLagoon · · Score: 1

      ...Most of the shit we all use, trust and take for granted was coded in someone's basement over the weekend a long time ago. ...

      ... and the code written in nice air-conditioned offices in Redmond, Washington has shown itself to be so much more secure over the years ....

    14. Re:Enough eyeballs and heartbleed ... by QuietLagoon · · Score: 1

      ... Just last month we learned that NTP...

      NTP.org is its own problem. Even when there was more than a single person maintaining it, the development looked less than favorably upon code improvement suggestions from the community.

      ... I do believe that there is a tendency associated with [open source] to take certain things for granted....

      You've hit on the main problem. It is not open source, per se, as you imply in your message. It is community involvement.

      .
      Where you have a community that is involved and stays involved, bugs are shallow. When you have a community, such as NTP.org, where suggestions are pushed away, bugs become very deep.

  4. no by Anonymous Coward · · Score: 0

    But that's the only way to fix code that's already been written.

    1. Re:no by arth1 · · Score: 1

      I'm a bit worried, though. What's the safeguard against a software engineer introducing defects, getting someone else to report it, and splitting the bounty?

      Or, even for old code, it may tempt someone to share proprietary code with someone outside the company, in order to find bugs and share the bounty.

    2. Re:no by R3d+M3rcury · · Score: 1

      I'll admit, whenever stuff like this comes up, I always think of this...

    3. Re:no by Anonymous Coward · · Score: 0

      Why do the multitude of anti-virus and security related software vendors along with the high dollar security research firms always seem to be playing catch up? What would the incentive be for these entities to actually do something to get ahead of the curve and preempt security exploits? All they seem to be doing is performing post modems on successful hacks. Their entire existence requires faulty security systems so they can continue to make money. What's preventing these world renowned security "experts", researchers, and analysts from playing both sides to justify their continued existence.
             

  5. the 'Right Solution' ? by YrWrstNtmr · · Score: 1

    No, but it is one pathway out of several.

    1. Re:the 'Right Solution' ? by Bite+The+Pillow · · Score: 0

      -1 redundant

      So we should view bug bounty programs as an additional angle of attack, another aspect of "defense in depth", perhaps optimized a bit more for commercial projects where there is ample money. And that's OK.

      That's from the fucking article. You're not helping.

  6. What exactly is the problem? by Locke2005 · · Score: 1

    Why aren't bounties considered a good idea? Yes, we've always argued that it gives developers an incentive to intentionally insert bugs so that they may profit off of them later. But are there any documented cases of that actually happening? For one, the authors of the code should automatically be prohibited from profiting by their mistakes. For another, there is a huge chance someone else would find and submit the bug first, and only the first finder should get rewarded. In human behavior, as a general rule, whatever behavior you reward, you create more of. It stands to reason that rewarding people for finding bugs will only result in more bugs being found!

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
    1. Re:What exactly is the problem? by Bite+The+Pillow · · Score: 1

      The problem is, Jeff is uncomfortable with the idea. That's the whole of the foundation in the linked article. But there is this point:

      The incentives feel really wrong to me. As much as I know security is incredibly important, I view these interactions with an increasing sense of dread because they generate work for me and the returns are low.

      Not all reports of security issues will be real issues, and if you offer bounties some people will be looking for an easy payout.

      Most of the article is useless junk:

      If your focus is the payout, who is paying more? The good guys, or the bad guys? Should you hold out longer for a bigger payday, or build the exploit up into something even larger? I hope for our sake the good guys have the deeper pockets, otherwise we are all screwed.

      And variations. If we stop paying bounties, what happens? A few people unconcerned with legal aspects will sell bugs to the bad guys, and the people concerned with legalities will just report bugs for free. One bad assumption by Jeff is that people will (or can) sell security problems to the bad guys with no ethical qualms, that it is perfectly fungible and only depends on who can afford to pay.

      I'm guessing Jeff spent an hour chasing a bad report, got emotional, and wrote this as a result of that experience. That doesn't help.

    2. Re:What exactly is the problem? by __aaltlg1547 · · Score: 1

      It may be an effective component to your total bug strategy, but it should be the last on the list. The primary effort should be oriented to not releasing the bugs to begin with.

      Let's say I create an adversarial system in my company. I pay developers a base salary plus an at-risk bonus for delivery of software QA by the deadline. If they deliver before the deadline, the at-risk bonus increases.
      QA has base salary plus can earn that at-risk bonus by finding the bugs between when it's delivered to them for analysis and the delivery commit date. Developers have incentive to deliver bug-free code, because that maximizes their bonus. QA is incentivized to find all the bugs, because that maximizes their bonus.

  7. They're not THE solution, but a good idea by Anonymous Coward · · Score: 0

    You need to do your own debugging as well, but these days, security bugs are worth serious money.

    A bug bounty is just recognizing that if only the black hats get any support, that's all we'll have in a while.

  8. Posting them on the internet... by Karmashock · · Score: 1

    ... is the best solution. Nothing gets them to fix the bug besides liability. The fear of lawsuits, embarrassment, etc... that gets them to take it seriously. Nothing else.

    MS had some bugs that they knew about for a decade that they didn't patch.

    You jump right to setting their nuts on fire.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  9. start at the root, we must have securable hardware by anwyn · · Score: 3, Insightful
    Free software, yes. Bug bounties, maybe.

    But recent developments have made clear that securable hardware is sine qua non. All firmware must be in socketed memory, so that you can take it out and externally check it. You can't trust an untrusted system to check itself. All firmware must be protectable with a hardware readonly jumper or switch.

    I know that this is inconvenient and a revolution on how hardware is currently made. but if people started demanding it en mass, it would not cost very much. And I mean the firmware in disk drives and optical media players and especially routers.

    There may be other requirements.

    This is sine qua non. Without this we have nothing.

  10. Conspirating developers and bug hunters by Anonymous Coward · · Score: 0

    I am reminded of a story on TheDailyWTF, The Defect Black Market http://thedailywtf.com/articles/The-Defect-Black-Market
    In that short story, a company-internal bug bounty program worked as intended for a while, numerous bugs were found and resolved. When the QA testers ran out of bugs to find, they started conspirating with the developers: the developers started placing bugs so that the QA testers would certainly find them and get their bounty. The bug bounty program was stopped soon after.

    So yeah, corruption and conspiracy are possible downsides of bug bounty programs.

    1. Re:Conspirating developers and bug hunters by Anonymous Coward · · Score: 0

      And corruption isn't a problem otherwise???

      No. Corruption finds a way to exploit things. kLOC? Write verbose code, lots of whitespace. Know of an exploit? Sell it to the hackers. Know the company is going down the shitter from your time on the executive board? Sell all shares and get out early.

      Corruption happens and is bad by definition.

      Not paying a bounty for bugs doesn't stop corruption.

  11. Someone will buy for the information by Opportunist · · Score: 1

    It's either someone who will fix the bug or someone who plans to exploit it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. Are you an optimist or a pessimist by Anonymous Coward · · Score: 0

    This is only going to work if you can get all the security holes out of a piece of code. If you can't then people are going to find bugs and get really good at finding them.

    Some of them might look to see if they can get a better offer than yours.

  13. Re:start at the root, we must have securable hardw by Anonymous Coward · · Score: 0

    If pigs had wings. There is no such thing as secure hardware. There have been enough recent stories about backdoors in CPUs, hard-drives and so forth to know that this is very likely, if not true.

  14. Re:start at the root, we must have securable hardw by jones_supa · · Score: 2

    What I personally think is really scary is that a lot of devices in our PCs are ready to accept new firmware at any moment. There usually are no safeguards that I can enable to prevent malicious code being injected to core components like BIOS, CPU microcode, HDD, DVD...

    Now, in general, hardware security is a tricky concept, because currently the hardware layer is simply fully trusted.

  15. it scales by slashmydots · · Score: 2

    Any expense that scales with the job it does or problems it solves is a good thing. Why pay someone XX per hour to sort books in a book store if you can pay them $0.05 per book and ensure static, scaled costs that tie to inventory cycling (aka sales) directly. Then again, you don't know how many bugs are in your program.

  16. Re:start at the root, we must have securable hardw by Anonymous Coward · · Score: 0

    i wish BIOS/UFI updates could only happen when a jumper was set. That is the safest way of doing things.

  17. If you don't want to pay out, Jeff by Anonymous Coward · · Score: 0

    Stop making so many bugs, and fix them yourself.

    You don't have to pay out if there are no bugs. So don't make them and your problem is entirely self-inflicted.

  18. Re:start at the root, we must have securable hardw by spauldo · · Score: 1

    Back in the old days, you'd generally have to either replace the physical chip or at least move a jumper in order to write to firmware.

    The current status quo is simply to lower costs for support; you don't have to send out a tech to update someone's firmware, you can just have them download a file and run it. Companies can save money on QA because you can fix mistakes later on. To make matters worse, the vast majority of consumers don't understand the problem.

    I agree with you 100%, but this is money we're talking about. I could see a small market of locked-firmware devices targeted at entities that require that level of security, but it would be priced well outside consumer range.

    --
    Those who can't do, teach. Those who can't teach either, do tech support.
  19. Re:start at the root, we must have securable hardw by jones_supa · · Score: 1

    Good point. Practicality trumps security here.

  20. Re:start at the root, we must have securable hardw by AnotherBlackHat · · Score: 1

    Adding a write-protect jumper only costs a few cents.
    And if you want to keep the convenience of downloadable upgrades, don't install the jumper.
    Sure, only a few percent of us would buy a motherboard because the BIOS had the option to add a write protect jumper, but that's still a few percent more sales.
    Plus it's a marketable difference - if you've got it and your competitors don't, then you can use scare tactics;
    "Unlike our competitors, we care about your computer's health, that's why all our motherboards have physical protections against viruses."

  21. What about better QA and no don't have the dev's d by Joe_Dragon · · Score: 1

    What about better QA and no don't have the dev's do testing.

    Also the QA needs to have full access to what they are testing. They need to be able stuff that end users can do as well being able to manually set up the system / data in different ways not only to make easier / faster to test out some modes but to also to setup for some unusual modes / settings.

    QA needs to be able to think out of the box and it does not need to be some job that is just a side job to some ones other job.

  22. back when you need to burn eproms code was better by Joe_Dragon · · Score: 1

    back when you need to burn eproms code was better on release there where still updates but the base code. Even with older dos / windows game where mostly done on release with some updates. Now days things are more buggy and software comes out with things that will be added later with updates that are easy to install.

  23. Better then landing them on jail... by Anonymous Coward · · Score: 0

    Well they certainly are better then thowing people reporting security holes to jail...

  24. Re:start at the root, we must have securable hardw by __aaltlg1547 · · Score: 1

    Of course it's possible. My company does it all the time. There are several effective methods, the simplest being putting a jumper on the write-enable pin of the device that holds the firmware, and the removal of that jumper before you ship.

  25. The downside... by xlsior · · Score: 3, Funny

    ...was covered almost 20 years ago by Scott Adams: http://dilbert.com/strip/1995-...

    1. Re:The downside... by Anonymous Coward · · Score: 0

      Isn't that about the time frame that TeX had a bug bounty program?

  26. Re:start at the root, we must have securable hardw by angel'o'sphere · · Score: 1

    Adding a write-protect jumper only costs a few cents.
    1cent times 1 billion devices is 10million "lost profit".

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  27. Re:start at the root, we must have securable hardw by AnotherBlackHat · · Score: 1

    And 1 percent less sales * 1 billion devices * $100 a board is $1 billion in "lost profit".

    If the jumper costs %0.1 of the profit on the device, then it only needs to improve sales by %0.1.

  28. Re:start at the root, we must have securable hardw by Anonymous Coward · · Score: 0

    No you dont.
    You just need the tools to calculate the firmware version, and a way to verify it is correct. This includes verifying alternate shadow copies, and being able to blank unused and unallocated storage, see engineering sectors etc.This includes video cards with direct DMA access.

    There has been a strong push against firmware discovery. Part of the reason is people may work out they are getting older products, or with slower cpus, less modern displays ect out of the box.

    Even if we did have firmware control, secret instruction sets, or port commands to other hardware, means that there are bleeds in other areas.

    But a home brew router/firewall that drops packets on the floor makes the game harder, so physical access is needed. Oh wait, this is what airport snooping is about.

  29. nope by Anonymous Coward · · Score: 0

    i gave up on chasing bounties and writs in general because once you get a lead on something someone far more skilled with far graver intent
    just swoops in. best you can do is when they are coming for your chair torpedo the project.