There’s rarely a week when the technology press isn’t given some new vulnerability in hardware or software to dissect. But of late things have been seemingly increasing in both scope and pace: we’ve seen the SHA-1 algorithm broken, services leaking supposedly encrypted data and scheduled patches being cancelled at the last minute even in the face of publicly-disclosed vulnerabilities – and those are just examples from February.
In the face of increasing complexity and both consumer and corporate dependence on technology, it’s no longer sufficient for companies to take a reactive approach; instead, companies need to be proactive in finding the flaws and vulnerabilities in the platforms and products before the bad guys do.
Given the expense of running a single-task security analysis division, or the one-time-only assurance afforded by penetration tests and other external analyses, it’s becoming common for companies to invest in a bug bounty program – and it’s a method which is only likely to increase in popularity over the coming years.
Bug Bounty Programs
The benefits of bug bounty programs – offering monetary rewards for individuals who provide evidence of security flaws in your products and services – are many. But the drawbacks of such programs can be largely dismissed with one simple fact: if you’re not paying for information on your software’s failings doesn’t mean somebody else isn’t.
Black Market Bounties
It’s common to associate the practice of working to discover security vulnerabilities in third-party software with black-hat ‘hackers’ – electronic ne’er-do-wells who live to cause chaos and strife and who often profit through theft or destruction of data. Today, though, there’s money to be made in simply selling information about security vulnerabilities – but not all buyers have positive motives.
Companies like Zerodium, formerly Vupen, run “exploit acquisition programs,” paying between $5,000 and $1.5 million for vulnerabilities in popular software for which patches do not yet exist in order to analyze the flaw and provide mitigation and protection information to its clients. Other potential buyers have fewer scruples: national security agencies are known to pay for exploits not only to protect government systems but also to use the unpatched vulnerabilities to attack target systems, as in this Forbes report from 2012.
Zero-day exploit are the name given to a vulnerability which can be exploited and for which no countermeasure yet exists. If a zero-day exploit falls into the hands of a security agency or other aggressive foe, you can be sure that the company whose software is being targeted won’t be informed. This leaves customers unprotected for as long as possible, to say nothing of the risks of such vulnerabilities finding their way into criminal hands as with the recent Shadow Brokers leaks.
The best defence, then, is a good offence: making sure that researchers, regardless of their motives, have a reason to come to you with their discoveries.
An increasingly popular and low-risk option for larger corporations is to run an internal bug bounty program where staff are incentivised – typically financially – to investigate the security of their company’s platforms and products, whether on their own time or as part of a freeform working period.
A software engineer at a major UK gaming firm explained, speaking on condition of anonymity, “Before launching our bug bounty scheme we thought our security wasn’t bad; we had regular pen tests from a reputable company, kept all of our software patched and fixed problems quickly as we found them.”
“After launching our scheme it became clear that our perceptions were wrong: we found multiple serious problems that our pen tests had missed. Getting more people to look for problems was a big part of that, but mostly I think it’s the type of people that were looking: staff with a deep understanding of how our systems work, rather than pen testers restricted to black-boxing.
“For the company it’s a good way to find more problems, not necessarily cheaply – some of the payouts can be pretty big – but it’s always good value because the cost is per bug found not for time spent, like with a traditional pen test,” the engineer continued, revealing that the scheme has already resulted in 256 verified reports of security vulnerabilities in the five months it has been operating. For the people involved it’s a great way to make some extra cash, but it’s also a fantastic way to learn. I know more about how our systems work, and significantly more about security best practice as a direct result of hunting for bugs. It has made me a better developer.”
With no information on the vulnerabilities ever leaving the company, internal bug bounty programs are the safest of all. For smaller companies, though, it’s unlikely that there is enough manpower available to make a serious dent in any major codebase – making external programs a more tempting proposition.
When a company decides to open up its bug bounty program to outsiders, there are two main approaches. Large companies like Google, which has a heavily-staffed security division of its own, runs its own bug bounties and pays out cash rewards for verified security vulnerabilities in its platforms and services. The company also participates in public competitions such as Pwn2Own, regular part of the CanSecWest security conference in which researchers are asked to demonstrate their exploits in front of a live audience.
For smaller companies, however, such programs can be fraught with difficulty. Submissions to Google’s programs can be quickly validated by its internal security division, but in a company which lacks dedicated staff, simply sorting the wheat from the chaff of invalid or fraudulent submissions can be a time-sink. “Organizations with self-managed programs are often overwhelmed not only by the volume of submissions, but also by the process of validating these submissions and paying researchers,” explained Paul Ross, senior vice president of managed bug bounty platform Bugcrowd. “Working with a trusted partner alleviates this.
“At Bugcrowd, our experienced team of experts have run successful bug bounty programs for hundreds of organisations. This team handles the time-consuming work of communicating with researchers, replicating vulnerabilities, and coordinating development effort to deploy solutions. Moreover, managed programs ensure that the scope is clearly identified, researchers are fairly rewarded, and that program goals are met. Finally, if the idea of opening up testing to the community-at-large is too much, Bugcrowd offers organizations the option to run a private program with a select group of researchers. Our private programs are limited to vetted, highly rated and trusted researchers, giving organisations even more control of their bug bounty program.”
For many companies, the very idea of a bug bounty program seems fraught with peril and the concept of actively encouraging external third parties to find security flaws in products and services terrifying. The reality of the modern world is that third parties are already doing exactly that, only without your consent and with no intention of sharing the results with you. This means that a bug bounty program, whether internal or external, can reap real dividends in improved code quality and platform security.