Slashdot Mirror
Bug Bounties Aren't Silver Bullet for Better Security (infosecurity-magazine.com)
Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.
But their are a bullet in the arsenal against bugs...
Write good code by hiring on merit only.
Keep the inner core of skilled coders working hard on quality productive code.
Once low quality code is part of the company it is hard work to go back and try and find good workers.
Domestic spying is now "Benign Information Gathering"
Sounds like another case of the Pareto principle where a small number of people (the elite few) find the majority of the quality bugs.
.1% or something, but I'm somewhat more skeptical about the claims that not even the elite can make it as bug bounty hunters.
I don't know if these elite few are doing this full time, but I'd imagine that they aren't if they only make ~$35k. Most could easily get six figures doing security consulting work, and I would expect that a lot of them do and only do this as a hobby or for the added notoriety. I looked up the pwn2own contest and the main page reports one guy hauled in over $100,000 in the 2018 contest, so some can clearly make a good living doing nothing else if they don't want to. I don't know if those guys are the
Who said it's supposed to be a full time job? Bounties aren't jobs. They're rewards for ethical disclosure
I sure hope my boss doesn't read this article, since yesterday I held a long presentation for the whole board of directors entitled: "Bug Bounties -- the Silver Bullet for Better Security?" where my conclusion was a resounding "YES!"... They applauded. I got multiple pats on the shoulder. Everyone was happy. And now this.
Like in any way, you would want to have as many bullets as possible at your disposal. However, you fight with the army you have, not the army you would like to have, so you need to fit everything within your budget.Having a dedicated pen tester is cool, but a lot of them just go through a set of tools or tests and then that's it. They dont necessarily know the best ways to exploit a particular system.
But clueless people keep looking for it. Always the same with those that mistake technology for religion that will solve all problems in magic ways.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I worked in a very popular bug bounty for a short amount of time. It's about as pure a meritocracy as you can get. Young folks from all over the planet were working very hard to find bugs and some of them did very well for themselves. I would say it's clear that the bug bounty gave them the foothold and the financial backing to start a career in security.
Only the dumbest assholes on the planet think you can survive solely on a bug bounty. However, if you run it properly (which is exceedingly difficult) you can get some real value from it while giving an opportunity for folks that are new to the industry a medium in which they can gain valuable experience and possibly launch a career.
Saying X is not a silver bullet for Y is a misleading rhetorical tactic. If X is better than !X for Y, then X is one of the solutions. That it is not a complete solution is irrelevant. If there is a Z that is better than X, then that is a valid argument.
X will not solve Y is typically used by vested interests against X not people who are genuinely interested in solving Y.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
"Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs"
There is no reason you can't do both. Hell the ones you hire can even be eligible for the bounties as bonuses. It's a built in incentive program.
"Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards."
Obviously the bounties are too low and/or the bugs aren't being acknowledged properly and paid out.
A lot of hackers stopped submitting to bug bounties, because of companies like Facebook never paying their bounties.
There was always an excuse as why they didn't have to pay. Eventually after submitting multiple bounties and not being paid, they just stop submitting.
Most probably stop looking for bugs, others start selling them on the black markets so they can at least get paid for their work.
Bug Bounties only work for as long as the companies keep their word.
Facebook is NOTORIOUS about not paying for them and have screwed countless individuals out of their bounties.
They will only pay official companies, but their default policy is to try to find any way possible to not pay if it is an independent researcher.
I still have multiple emails where Facebook Developers told me a bug in their system needed to be fixed in EVERY router in the entire world to prevent CSRF protection instead of filtering CSRF in their system. Then they implemented CSRF filters in their system, but I never got paid for that bounty or any bounty I have EVER submitted to Facebook, which are numerous.
It is VERY well documented online and in blogs, almost as much as Google Adsense stealing from publisher (which has been proven and getting exponentially worse.)
How can you expect bug bounty programs to work after the hackers and developers wise up to not being paid and instead completely screwed over?!
> Coders are useless without good specifications, good practices and good languages.
Good practices make a world of difference. Peer review, for example, is huge.
Good specifications, or requirements, are critical. Just as good developers learn how to write particular functions, they learn methods of finding out exactly what the requirements are. So "the requirements weren't clear" isn't an excuse for a a software engineer to have done poorly, it's what they did poorly. There are good ways of getting the requirements defined, and it is the programmers job to learn those methods and use them.
I'd say "good languages" are overrated by many. "It's a poor craftsman that blames his tools." One language has benefits and drawbacks compared to another, and being able to choose the language (and style of language) that best fits a given task is useful. If the code is crap, though, it's not because the language sucks, it's because the programmer did a poor job. It is true that trying to write code to query set-based data in Python instead of SQL is likely to result in crappy code.
> Test driven design beats most other forms.
Test driven development is at least a consciously-chosen process. That's certainly better than no methodology, just writing whatever code and throwing it on production with no thought to process.
Silver bullets work only against werewolves, bugs have to be squashed.
Undo errant mod.
Report co-author and CEO of Luta Security, Katie Moussouris, doubled down on the findings, claiming that independent researchers are “better off pen testing or living the good life of in-house research staff.”
Katie started the bug bounty program at Microsoft and now owns a company doing pen testing. Guess what the report recommends? I wonder what it would recommend if she were still heading up a bug bounty program? Maybe I'm overly cynical, but it appears the authors are trying to structure bug bounty programs to be more like they are, security consultants. If you're going to propose such a large change, why look at only one data set? Even the Hacker One CEO said their data set isn't representative of the whole.
It's clear from the news article, which has a very clickbait-y title, that there are ways to improve bug bounty programs. As others have pointed out in comments here, it's still a useful tool. There's a blog post linked in the news article gives a good overview. That should've been the Slashdot submission.