Bug Bounties: Outbidding the Black Hats 59
snydeq writes "Fatal Exception's Neil McAllister discusses whether independent software developers should follow in the footsteps of Google and Mozilla and begin offering bug bounties before black hats pay up for their undisclosed software flaws. 'Whichever side of the fence you fall on, the fact is that bounties are being paid for undisclosed software flaws. They're just not always being paid by the vendor who developed the software. As ever more commercial data moves into the cloud and the stakes for cyber crime rise, black hat hackers are offering real money for exploitable bugs. In turn, when exploits happen, vendors may be held legally liable for any customer data that was compromised. Maybe it's time more software shops thought seriously about using their own cash to turn the tide in their favor.'"
I foresee economic problems (Score:5, Interesting)
Cash For Exploits has several problems:
1) a hacker that manages to engineer a zero-day has a whole line of customers willing to pay serious money for it. Malware authors that just got their cash cow's exploit patched last week are foaming at the mouth waiting for a new zero-day to put them back on track. They're making lots of money on their malware and are definitely willing to pay to keep it running a few more months. Companies aren't usually willing to pay a lot for an exploit. (there are exceptions but they are still uncommon) I'd love to see some hard numbers on what an average malware author nets a month.
2) said hacker can sell it more than once. Possibly many times. Why sell your exploit to the vendor once when you can sell it 100 times to other people? Is the vendor really going to be willing to pay you 100x what one desperate malware author can pay? Hard numbers on what a zero day ends up paying off would be really interesting to look at, and is what the vendors need to be considering when setting their bounties.
3) vendors downplay vulnerabilities as a way of life. They have every reason to tell you that the hole you discovered is of little value and try to cheat you on the payoff. On the other hand, selling it to the malware community is a reputation based system. Sell crap and it will hurt your reputation and hurt your business. They know a good exploit when they see it and will pay you what it's worth. The hacker can either make themselves the Bitch or the Man. Being the Man will naturally be more profitable.
4) if the vendors start snatching up the exploits, it's just going to drive up the price of them on the black market. And any good salesman sells to the highest bidder. At some point, the black market price is going to exceed whatever the vendors are willing to pay. Desperate customers with deep pockets will still get their hands on the exploits. (though this would arguably reduce the number of them in the wild due to higher cost)
5) lets not forget that if you create a legitimate reason to hack your product, it will increase the number of exploits found. Some consider this a good thing, but a lot of vendors consider this a bad thing. And they're usually impossible to convince otherwise.
Re:lies (Score:2, Interesting)
Plenty of security researchers have sufficient ethics/common sense not to attempt to sell vulnerabilities on the black market. They typically either practise 'responsible' or 'full' disclosure, or sit on the vulnerability if the vendor has a reputation of taking people to court. Hell even for a blackhat it is often simpler/safer to exploit the vulnerability yourself then sell the cards/passwords you got with it.