Bug Bounties: Outbidding the Black Hats 59
snydeq writes "Fatal Exception's Neil McAllister discusses whether independent software developers should follow in the footsteps of Google and Mozilla and begin offering bug bounties before black hats pay up for their undisclosed software flaws. 'Whichever side of the fence you fall on, the fact is that bounties are being paid for undisclosed software flaws. They're just not always being paid by the vendor who developed the software. As ever more commercial data moves into the cloud and the stakes for cyber crime rise, black hat hackers are offering real money for exploitable bugs. In turn, when exploits happen, vendors may be held legally liable for any customer data that was compromised. Maybe it's time more software shops thought seriously about using their own cash to turn the tide in their favor.'"
Paying people to find bugs? (Score:3)
What a novel idea!
Re: (Score:3)
seriously though, from the point of view of somebody that makes software this is still blackmail.
Imagine if we held home builders to the same standard... I'm going to run around your neighborhood with tire irons, deer grill on my 4x4, and a lock pick set and if I get into your house (by ripping out the porch or windows) , it's still YOUR fault?
If we're going to play that way, then just allow companies like Apple and Microsoft to hire Blackwater for some anti-hacker work! Much like bounty hunters, give them
Re: (Score:3)
Nonsense. This is a great deal for software companies. Instead of paying people a salary whether there find any bugs or not, you get people to work for free and only pay them when they find bugs.
Re: (Score:1)
Re: (Score:1)
It's more like someone sending two satellites up into space to prove or disprove the theory of relativity.
Then someone sending more to prove it wrong again.
only more like, since software is or should be duelist.
Re: (Score:2)
seriously though, from the point of view of somebody that makes software this is still blackmail.
I've given up reporting bugs in proprietary software. When I file bug reports with free software projects, someone usually fixes them, and we both benefit from improved software. When I file bugs in proprietary software, I usually find that I am expected to pay for the next version, which fixes the bug. I do QA for them, but get nothing in return.
I don't sell the bug reports to black hats (although one of the last ones that I reported in OS X was exploitable - I think that one's fixed now). There's n
Re: (Score:1)
Re: (Score:2)
we license Doctors, lawyers, engineers, accountants... heck even auto mechanics and hair stylists ... we even license TOYS for safety now... You'll note we don't license Executives, we don't license Wall Street investment bankers... I think software will have to have some minimum licensing... or companies like Google, Microsoft, Apple, Sony will simply lobby to have their platforms legally locked down and hacking enforced by law... with guns.
This overlooks various marketing opportunities (Score:4, Insightful)
Re: (Score:1)
It is always going to be more profitable in the short term to be dishonest. That's the whole point of dishonesty.
The goal here is to push people a bit more toward honesty, most would prefer to make a dollar honestly than a hundred dishonestly.
Re: (Score:1)
I don't think that's true. I think that most people would prefer to make a dollar they will keep than a hundred that could be seized by law enforcement officials, but that's not the same thing. Lots of people do all kinds of unethical but legal things simply because it means more money. There are some who think as you describe but they are a minority, and even most of them would compromise those principles if they really needed the hundred dollars.
Re: (Score:2)
I doubt that comes into the picture. Criminals in general don't assume that they're going to be caught, there are exceptions, but most don't think they'll be caught. Especially for cybercrime where they frequently hide out in places where the government can't or won't prosecute them.
Re: (Score:3)
Criminals know there's a chance of getting caught, but it's simple risk/benefit.
X = Perceived chance of getting caught
P = Penalty if caught
$ = Profit of legitimate version of endeavor
$' = Profit of illegitimate version of endeavor
M = Offset for positive moral feeling (varies per individual)
T = Thrill factor of going outside the law (varies per individual)
If $'-XP+T > $+M, a person goes criminal. Note that all values must be converted to personal 'worth' of cash/emotion.
Re: (Score:1)
You missed off. System fucked you up.
So M could be on either side.
Re: (Score:1)
That would be your personal opinion.
Allow it to be negative, fine, just put it on the other side.
Your making a judgement of value based from your perspective.
Re: (Score:1)
It's more given any set of deeds where one tends to deeds the set of deeds with least resistance would be chosen. stress testing may be required. ponzi schemes set-up, choose an existing one you make your own or do some interfacing.
There does however exist a set of people who tend to faith, this system seems bizarre to the deed doers. But an old time measure (martin Luthor) related to the notion of free will.
The is to say it was the deed of eating the apple from the tree of knowledge that was bad.
vs
The corr
Re: (Score:2)
Shit, that's how modern business works, not just your everyday individual criminal. Recall if you will the "car recall" speech from Fight Club.
Re: (Score:1)
And besides, the police will just as likely steal your honest dollar as 'drug proceeds'. Good luck getting it back.. Honesty, and even basic humanity has become a quaint old anachronism. Even the illusion (with the US gone down the tubes over the last tens years) has seriously deteriorated. It just doesn't pay. Crime and general savagery, however, is quite the opposite story
no, law enforcement is the buyer (Score:1)
Re:This overlooks various marketing opportunities (Score:5, Insightful)
Re: (Score:3)
For what it's worth, the bored teenage prodigy effect has certainly come up at least in Mozilla's case, and 2-3 bug bounties is indeed pretty good money for a teenager!
Depends on the price. Maybe we should bid. (Score:1)
For $1000 no. For $5000-$10,000 yes.
Only because we know companies like Google, Microsoft,Facebook and others have the money.
Re: (Score:2)
lies (Score:2, Insightful)
The article's claim that Microsoft would have to open-up its source to allow bug bounties is rubbish. Google offers bounties for its web applications, and they are hardly open source. There are plenty of vulnerabilities that can be found using black-box techniques. Facebook isn't open source either and will shortly be offering bounties: http://news.softpedia.com/news/Facebook-Prepares-to-Launch-Bug-Bounty-Program-201405.shtml (I regret deleting my facebook account)
Experts like Schneier may point out that bo
Re: (Score:3)
Experts like Schneier may point out that bounties don't offer great value for time for professionals, but as a student the money is quite an incentive for me.
Or someone working in a poorer country. Salaries are much lower in poorer countries.
And a lot of people would rather deal with Google than deal with the underworld. They might offer more but what do you do if they don't pay up, or come to take it back just because they claim your exploit didn't work (PEBKAC?), or because they feel like it?
Re: (Score:2, Interesting)
Plenty of security researchers have sufficient ethics/common sense not to attempt to sell vulnerabilities on the black market. They typically either practise 'responsible' or 'full' disclosure, or sit on the vulnerability if the vendor has a reputation of taking people to court. Hell even for a blackhat it is often simpler/safer to exploit the vulnerability yourself then sell the cards/passwords you got with it.
Re: (Score:1)
They might offer more but what do you do if they don't pay up, or come to take it back just because they claim your exploit didn't work (PEBKAC?), or because they feel like it?
I suspect, this is where Bitcoin comes in.
Or a 'trusted' escrow.
Or a deal like 'half the $$$ up front' and 'half when the customer approves'
Or.... proof of concept up front; delivery of final product after $$$ irreversibly paid.
Re: (Score:1)
The article's claim that Microsoft would have to open-up its source to allow bug bounties is rubbish.
That's because the article writer, and the many people on Slashdot who have said the same thing, are morons. For example, Ilfak Guilfanov [wikipedia.org] the main developer of IDA PRO posted his own hotfix for a Windows vulnerability years ago without ever having access to "teh codez". This notion that people found security issues through staring at the code is laughably wrong and is written by idiots who are ignorant of the topic at hand.
Re: (Score:1)
Sure, you could simply divert the rounded-off pennies of interest deposits to a swiss bank account. No one will ever notice, it's perfect.
Re: (Score:2)
but they do have cookies!
the light side has milk... bummer.
Re: (Score:1)
Capitalism at work (Score:4, Funny)
Dilbert #1 [dilbert.com]
Dilbert #2 [dilbert.com] -- Also explains IE 6
I foresee economic problems (Score:5, Interesting)
Cash For Exploits has several problems:
1) a hacker that manages to engineer a zero-day has a whole line of customers willing to pay serious money for it. Malware authors that just got their cash cow's exploit patched last week are foaming at the mouth waiting for a new zero-day to put them back on track. They're making lots of money on their malware and are definitely willing to pay to keep it running a few more months. Companies aren't usually willing to pay a lot for an exploit. (there are exceptions but they are still uncommon) I'd love to see some hard numbers on what an average malware author nets a month.
2) said hacker can sell it more than once. Possibly many times. Why sell your exploit to the vendor once when you can sell it 100 times to other people? Is the vendor really going to be willing to pay you 100x what one desperate malware author can pay? Hard numbers on what a zero day ends up paying off would be really interesting to look at, and is what the vendors need to be considering when setting their bounties.
3) vendors downplay vulnerabilities as a way of life. They have every reason to tell you that the hole you discovered is of little value and try to cheat you on the payoff. On the other hand, selling it to the malware community is a reputation based system. Sell crap and it will hurt your reputation and hurt your business. They know a good exploit when they see it and will pay you what it's worth. The hacker can either make themselves the Bitch or the Man. Being the Man will naturally be more profitable.
4) if the vendors start snatching up the exploits, it's just going to drive up the price of them on the black market. And any good salesman sells to the highest bidder. At some point, the black market price is going to exceed whatever the vendors are willing to pay. Desperate customers with deep pockets will still get their hands on the exploits. (though this would arguably reduce the number of them in the wild due to higher cost)
5) lets not forget that if you create a legitimate reason to hack your product, it will increase the number of exploits found. Some consider this a good thing, but a lot of vendors consider this a bad thing. And they're usually impossible to convince otherwise.
Re: (Score:1)
Why sell your exploit to the vendor once when you can sell it 100 times to other people?
Why not do both? First sell it on the black market, then when that revenue stream starts to dry up turn around and sell it to the vendor. This strategy has the added bonus of increasing demand on your next exploit when the vendor gets around to fixing the bug you've already sold.
Re: (Score:1)
Hard numbers on what a zero day ends up paying off would be really interesting to look at, and is what the vendors need to be considering when setting their bounties.
OK, look at the size of the US government's black budget. This is what they need to outbid. Oh, but the budget will change as required.
In case you can deliver the goods, my gmail address is doubleplusgoodalbert. We're hiring.
Re: (Score:2)
I'd love to see some hard numbers on what an average malware author nets a month.
Ask either that answer to that or to a question for which you know the answer. The data can be separated.
Protection against crime (Score:1)
Re: (Score:1)
Selling to a black hat is stupid (Score:1)
Re: (Score:1)
My 0-day (Score:1)
So I wrote my 0day. It's just a denial of service at this point because the actual exploit is heap-based and I'm a total noob and cant write a heap based exploit. This is an application that if I were to nmap the internet I'm sure I would find LOTS of this; as the whole purpose of the application is about being web-faced. The actual software has been included in lots of products.
I contact the software developer and say, "Hey I have a denial of service vulnerability that could be written into a remote code e