Register Now for Great Online Training Offer: Get a 12.9" iPad Pro, Surface Pro or $350 Off

SANS Security Trend Line

Bug Bounty Programs - Software's "Secret Shoppers"

Interesting paper out from several researchers at Berkeley: 'An Empirical Study of Vulnerability Rewards Programs' VRPs are those "bug bounty" programs that some software providers, like Google and Mozilla, and even some security companies (like HP/TippingPoint), run to offer cash payments for anyone discovering legitimate vulnerabilities in software. The bottom line in the study is mostly that Google's approach seems more effective overall than Mozillas, and that the cost/vulnerability found is less than the cost of hiring enough vulnerability researchers to find the same amount.

I'm not so sure about that last part - any software producer running a VRP has cost associated with administering the program and QAing the submissions, etc. Outsourcing to a trained staff of testers in some low wage country could be just as cost effective as paying bug bounties. But in general I think that incentivizing good bug finders out in the software community does end up acting as a "force multiplier."

When these programs first started, there was hope that paying for bugs would reduce the number of zero day vulnerabilities that bad guys exploited before the good guys knew about them by causing bug finders to take the easy VRP money vs. getting involved in shady online sites where you get paid in eGold or in shady WalMart gift cards. I don't think there is any evidence that has really happened - there are plenty of skilled bug finders on the criminal side.

I wasn't very optimistic about these programs when they first started - to me it was as if cereal companies said "We will pay you if you find a dead rat in your Cheerios" - much better to find the dead rat before you ship the box of wholesome oat goodness to your customers. But the reality is that software engineering is still an oxymoron - since there is no handbook of materials strength, and since the properties of the product keep changing, there is no real way to keep all of the vermin out of the cereal.

The reality is that software isn't truly a product business. It is something more than a craft business, but it is actually more like a service business than a craft business. Many service businesses use "secret shoppers" - civilians who get paid to have their car repaired, order a hamburger or buy some groceries and report back on "bugs" in the service. Bug bounty hunters are sort of the logical equivalent of that - and those programs are likely to be with us until software engineering is not an oxymoron . Or until the sun goes out - whichever comes first.

Post a Comment


* Indicates a required field.