Bug Bounties: Outbidding the Black Hats

snydeq writes "Fatal Exception's Neil McAllister discusses whether independent software developers should follow in the footsteps of Google and Mozilla and begin offering bug bounties before black hats pay up for their undisclosed software flaws. 'Whichever side of the fence you fall on, the fact is that bounties are being paid for undisclosed software flaws. They're just not always being paid by the vendor who developed the software. As ever more commercial data moves into the cloud and the stakes for cyber crime rise, black hat hackers are offering real money for exploitable bugs. In turn, when exploits happen, vendors may be held legally liable for any customer data that was compromised. Maybe it's time more software shops thought seriously about using their own cash to turn the tide in their favor.'"

Paying people to find bugs?

[Hatta]

What a novel idea!

Re:

[mabhatter654]

seriously though, from the point of view of somebody that makes software this is still blackmail.

Imagine if we held home builders to the same standard... I'm going to run around your neighborhood with tire irons, deer grill on my 4x4, and a lock pick set and if I get into your house (by ripping out the porch or windows) , it's still YOUR fault?

If we're going to play that way, then just allow companies like Apple and Microsoft to hire Blackwater for some anti-hacker work! Much like bounty hunters, give them

Re:

[Hatta]

Nonsense. This is a great deal for software companies. Instead of paying people a salary whether there find any bugs or not, you get people to work for free and only pay them when they find bugs.

Re:

[Jibekn]

Your analogy is flawed, homes are not designed to be burglar proof, while software is (theoretically). A proper analogy would be to liken this to someone breaking out of prison, without a trace, and refusing to tell anyone how they did it without being paid, which I would call very reasonable, especially if this person in question is not a convict, just a security consultant.

Re:

[oliverthered]

It's more like someone sending two satellites up into space to prove or disprove the theory of relativity.

Then someone sending more to prove it wrong again.

only more like, since software is or should be duelist.

Re:

[TheRaven64]

seriously though, from the point of view of somebody that makes software this is still blackmail.

I've given up reporting bugs in proprietary software. When I file bug reports with free software projects, someone usually fixes them, and we both benefit from improved software. When I file bugs in proprietary software, I usually find that I am expected to pay for the next version, which fixes the bug. I do QA for them, but get nothing in return.

I don't sell the bug reports to black hats (although one of the last ones that I reported in OS X was exploitable - I think that one's fixed now). There's n

Re:

[munky99999]

Actually we have building inspectors that ensure building work is done properly. If you wish the analogy to be true we will need to implement code inspectors who ensure it is problem free. In other words exploit-free. Im pretty sure recently the Americans considered trying this and basically all software developers grabbed their swords and put them to the neck of those involved.

Re:

[mabhatter654]

we license Doctors, lawyers, engineers, accountants... heck even auto mechanics and hair stylists ... we even license TOYS for safety now... You'll note we don't license Executives, we don't license Wall Street investment bankers... I think software will have to have some minimum licensing... or companies like Google, Microsoft, Apple, Sony will simply lobby to have their platforms legally locked down and hacking enforced by law... with guns.

This overlooks various marketing opportunities

[afourney]

Bug bounties are paid once. Meanwhile, there are many black hats who may be willing to pay for an exploit package, access to bot nets, etc. I imagine there is more money to be made using bugs for nefarious purposes.

Re:

[Anonymous Coward]

It is always going to be more profitable in the short term to be dishonest. That's the whole point of dishonesty.

The goal here is to push people a bit more toward honesty, most would prefer to make a dollar honestly than a hundred dishonestly.

Re:

[Anonymous Coward]

I don't think that's true. I think that most people would prefer to make a dollar they will keep than a hundred that could be seized by law enforcement officials, but that's not the same thing. Lots of people do all kinds of unethical but legal things simply because it means more money. There are some who think as you describe but they are a minority, and even most of them would compromise those principles if they really needed the hundred dollars.

Re:

[hedwards]

I doubt that comes into the picture. Criminals in general don't assume that they're going to be caught, there are exceptions, but most don't think they'll be caught. Especially for cybercrime where they frequently hide out in places where the government can't or won't prosecute them.

Re:

[gnick]

Criminals know there's a chance of getting caught, but it's simple risk/benefit.
X = Perceived chance of getting caught
P = Penalty if caught
$ = Profit of legitimate version of endeavor
$' = Profit of illegitimate version of endeavor
M = Offset for positive moral feeling (varies per individual)
T = Thrill factor of going outside the law (varies per individual)
If $'-XP+T > $+M, a person goes criminal. Note that all values must be converted to personal 'worth' of cash/emotion.

Re:

[oliverthered]

You missed off. System fucked you up.

So M could be on either side.

Re:

[oliverthered]

That would be your personal opinion.

Allow it to be negative, fine, just put it on the other side.

Your making a judgement of value based from your perspective.

Re:

[oliverthered]

It's more given any set of deeds where one tends to deeds the set of deeds with least resistance would be chosen. stress testing may be required. ponzi schemes set-up, choose an existing one you make your own or do some interfacing.

There does however exist a set of people who tend to faith, this system seems bizarre to the deed doers. But an old time measure (martin Luthor) related to the notion of free will.

The is to say it was the deed of eating the apple from the tree of knowledge that was bad.
vs
The corr

Re:

[Ihmhi]

Shit, that's how modern business works, not just your everyday individual criminal. Recall if you will the "car recall" speech from Fight Club.

Re:

[countertrolling]

And besides, the police will just as likely steal your honest dollar as 'drug proceeds'. Good luck getting it back.. Honesty, and even basic humanity has become a quaint old anachronism. Even the illusion (with the US gone down the tubes over the last tens years) has seriously deteriorated. It just doesn't pay. Crime and general savagery, however, is quite the opposite story

no, law enforcement is the buyer

[poppopret]

They pay pretty well if they trust you. They sure won't seize back what they just payed you. Email doubleplusgoodalbert at my gmail account if you'd like a job doing this. US citizens only, sorry.

Re:This overlooks various marketing opportunities

[Riceballsan]

I don't think the bug bounties will ever match the insane prices that black hats will sell these things for, but they can motivate the white and grey hats to spend more time looking for the bugs. The black hats have the perk that they can more or less turn the hunting into a full fledged job, find the right 2-3 exploits and you can make profits that legitimate programmers make in 5 years, but for every one of those guys, there's 10 people who work 9-5 and could probably use a bit of extra cash, $1000 or so isn't a bad incentive to spend a few extra hours each night looking around for something, it's also something that could look good on the resume for a starting programmer, and substantial money to say a teenager. Rather then spending 80K on one good black hat, you can spend 70k and keep thousands of white/grey hats from all walks of life. Heck there's some mistakes that I'm sure a bored teenage prodigy would catch that an experienced veteran programmer would miss just because they see things differently.

Re:

[BZ]

For what it's worth, the bored teenage prodigy effect has certainly come up at least in Mozilla's case, and 2-3 bug bounties is indeed pretty good money for a teenager!

Depends on the price. Maybe we should bid.

[elucido]

For $1000 no. For $5000-$10,000 yes.

Only because we know companies like Google, Microsoft,Facebook and others have the money.

Re:

[Geminii]

Yeah, but the ten guys putting in a couple of hours are going to duplicate a lot of each others' work when it comes to finding the really deep bugs. Buffer overruns are easy, subtle implications of common yet ever-so-slightly mismatched data structures spread across fourteen modules are less so.

lies

[Anonymous Coward]

The article's claim that Microsoft would have to open-up its source to allow bug bounties is rubbish. Google offers bounties for its web applications, and they are hardly open source. There are plenty of vulnerabilities that can be found using black-box techniques. Facebook isn't open source either and will shortly be offering bounties: http://news.softpedia.com/news/Facebook-Prepares-to-Launch-Bug-Bounty-Program-201405.shtml (I regret deleting my facebook account)

Experts like Schneier may point out that bo

Re:

[TheLink]

Experts like Schneier may point out that bounties don't offer great value for time for professionals, but as a student the money is quite an incentive for me.

Or someone working in a poorer country. Salaries are much lower in poorer countries.

And a lot of people would rather deal with Google than deal with the underworld. They might offer more but what do you do if they don't pay up, or come to take it back just because they claim your exploit didn't work (PEBKAC?), or because they feel like it?

Re:

[Anonymous Coward]

Plenty of security researchers have sufficient ethics/common sense not to attempt to sell vulnerabilities on the black market. They typically either practise 'responsible' or 'full' disclosure, or sit on the vulnerability if the vendor has a reputation of taking people to court. Hell even for a blackhat it is often simpler/safer to exploit the vulnerability yourself then sell the cards/passwords you got with it.

Re:

[mysidia]

They might offer more but what do you do if they don't pay up, or come to take it back just because they claim your exploit didn't work (PEBKAC?), or because they feel like it?

I suspect, this is where Bitcoin comes in.

Or a 'trusted' escrow.

Or a deal like 'half the $$$ up front' and 'half when the customer approves'

Or.... proof of concept up front; delivery of final product after $$$ irreversibly paid.

Re:

[Desler]

The article's claim that Microsoft would have to open-up its source to allow bug bounties is rubbish.

That's because the article writer, and the many people on Slashdot who have said the same thing, are morons. For example, Ilfak Guilfanov [wikipedia.org] the main developer of IDA PRO posted his own hotfix for a Windows vulnerability years ago without ever having access to "teh codez". This notion that people found security issues through staring at the code is laughably wrong and is written by idiots who are ignorant of the topic at hand.

Re:

[Anonymous Coward]

Sure, you could simply divert the rounded-off pennies of interest deposits to a swiss bank account. No one will ever notice, it's perfect.

Re:

[mabhatter654]

but they do have cookies!

the light side has milk... bummer.

Re:

[munky99999]

Why do you say that? Black hats can just say they are security researchers... until their name gets a headline they are as good a reference as anyone else. Though why even bother going this far? Most people I know just reference each other and establish fake companies that they all know how they operated in the company. Complete bullshit stories. Which realistically in the long run all references really are bullshit.

Capitalism at work

[chill]

Dilbert #1 [dilbert.com]

Dilbert #2 [dilbert.com] -- Also explains IE 6

I foresee economic problems

[v1]

Cash For Exploits has several problems:

1) a hacker that manages to engineer a zero-day has a whole line of customers willing to pay serious money for it. Malware authors that just got their cash cow's exploit patched last week are foaming at the mouth waiting for a new zero-day to put them back on track. They're making lots of money on their malware and are definitely willing to pay to keep it running a few more months. Companies aren't usually willing to pay a lot for an exploit. (there are exceptions but they are still uncommon) I'd love to see some hard numbers on what an average malware author nets a month.

2) said hacker can sell it more than once. Possibly many times. Why sell your exploit to the vendor once when you can sell it 100 times to other people? Is the vendor really going to be willing to pay you 100x what one desperate malware author can pay? Hard numbers on what a zero day ends up paying off would be really interesting to look at, and is what the vendors need to be considering when setting their bounties.

3) vendors downplay vulnerabilities as a way of life. They have every reason to tell you that the hole you discovered is of little value and try to cheat you on the payoff. On the other hand, selling it to the malware community is a reputation based system. Sell crap and it will hurt your reputation and hurt your business. They know a good exploit when they see it and will pay you what it's worth. The hacker can either make themselves the Bitch or the Man. Being the Man will naturally be more profitable.

4) if the vendors start snatching up the exploits, it's just going to drive up the price of them on the black market. And any good salesman sells to the highest bidder. At some point, the black market price is going to exceed whatever the vendors are willing to pay. Desperate customers with deep pockets will still get their hands on the exploits. (though this would arguably reduce the number of them in the wild due to higher cost)

5) lets not forget that if you create a legitimate reason to hack your product, it will increase the number of exploits found. Some consider this a good thing, but a lot of vendors consider this a bad thing. And they're usually impossible to convince otherwise.

Re:

[Anonymous Coward]

Why sell your exploit to the vendor once when you can sell it 100 times to other people?

Why not do both? First sell it on the black market, then when that revenue stream starts to dry up turn around and sell it to the vendor. This strategy has the added bonus of increasing demand on your next exploit when the vendor gets around to fixing the bug you've already sold.

Re:

[poppopret]

Hard numbers on what a zero day ends up paying off would be really interesting to look at, and is what the vendors need to be considering when setting their bounties.

OK, look at the size of the US government's black budget. This is what they need to outbid. Oh, but the budget will change as required.

In case you can deliver the goods, my gmail address is doubleplusgoodalbert. We're hiring.

Re:

[Sulphur]

I'd love to see some hard numbers on what an average malware author nets a month.

Ask either that answer to that or to a question for which you know the answer. The data can be separated.

Protection against crime

[Pf0tzenpfritz]

Protection against crime is not an issue "the market should regulate". Basically paying for bugs -to protect yourself or your customers from illegal actions- is privatizing justice and a deeply undemocratic thing. To be protected from crime is what all the "security" measures by governments claim to be about and it is not a matter of weath how much or how good individual protection is.

Re:

[munky99999]

So you think the security researchers should only sell to the government? Or work for free? You're nuts.

Selling to a black hat is stupid

[Stan92057]

Selling to a black hat is stupid, he/she will use it for criminal activities that will send you to jail as well as the Black Hat. Your future will be ruined unless an anti virus company hires you. They do have a history of hiring the bad guys.

Re:

[munky99999]

Has anyone in a 1st world country ever been arrested for selling an exploit to another person who may have used it illegally? Hell catching actual blackhats is ridiculously low... going to court with someone who sold an exploit is going to be pretty fuckin difficult. I could sell a gun to someone and they might then go use it to kill someone but that's hardly my problem.

My 0-day

[munky99999]

So I wrote my 0day. It's just a denial of service at this point because the actual exploit is heap-based and I'm a total noob and cant write a heap based exploit. This is an application that if I were to nmap the internet I'm sure I would find LOTS of this; as the whole purpose of the application is about being web-faced. The actual software has been included in lots of products.

I contact the software developer and say, "Hey I have a denial of service vulnerability that could be written into a remote code e