Thoughts on Bug bounties?

LoLth

Two interesting stories on bug bounties recently that have interesting reactions.

Yahoo! from earlier this month:

http://grahamcluley.com/2013/09/serious-yahoo-bug/

rewarded a bug-reporter with $12.50 in yahoo store credit for his reported vulnerabilities and promptly sparked an interesting reaction on Full Disclosure:

http://seclists.org/fulldisclosure/2013/Oct/6

Some contributors are saying "so what if its not a huge amount of money, we're not in it for profit anyway" others are saying "its insulting and just encourages people to sell their vulnerabilities on the black market instead. More money should be rewarded".

and then recently:

http://nakedsecurity.sophos.com/2013/10/09/microsoft-pay-out-first-100000-bug-bounty/

MS pays out its first 100k bug bounty.

Thing is, I dont understand how security professionals can lambaste Yahoo! for their insulting amount, then praise MS for their generous reward that makes bug finding worthwhile and in the same breath condemn Security firms like Vupen that sell zero days to the NSA.....

http://www.informationweek.com/security/government/nsa-contracted-with-zero-day-vendor-vupe/240161389


surely selling information for profit is black and white? its either why you do what you do or its not. (professional vs ethical perhaps? )

any thoughts?

[-0-]

Google are also doing it: https://www.google.com/about/appsecurity/patch-rewards/

LoLth

[-0-] wrote: »

Google are also doing it: https://www.google.com/about/appsecurity/patch-rewards/

lots of companies are doing it and that's the thing, its become almost commonplace...or expected.

It used to be that the ideal was :

grey hat individual finds a bug in software

grey hat notifies the owner of the software and allows time for a fix

grey hat tells others so that they too can learn of the pitfalls once a fix has been made available so innocents don't get hurt.

If the owning company were nice, they said thank you and maybe, just maybe, gave a reward. If they were dicks, they threatened mr Grey Hat and he either released (leaked) early or said "FU" and wen this merry way smiling at the knowledge that the dicks will get hacked soon enough.

From the Full disclosure discussion, it seems that quite a few are arguing that the old way is the way it should be while others are arguing that "only" offering $12.50 instead of $100k is an insult that deserves having the exploit sold to an eastern European criminal gang just to teach them a lesson.

and yet, these very same people give out about Vupen selling zero days to the NSA.

[-0-]

You can't please everyone. I think the goal here should be secure code. If these bounties help achieve that then so be it. I would also view the 12 dollars as an insult to be honest. The bounty would encourage me to find bugs. In saying that, if you work for an infosec company and you spend all day looking for a vuln and don't find one - you still get paid. If you do it for this bounty, and you don't find one then you're out of luck.

I found a vulnerability in libjpeg which is one of the applications Google are offering cash for. I submitted the bug to the maintainers and they said something along the lines of "We really don't need this section of code anymore and it should be removed. Redhat decided to remove this portion of the code back in 2007". Still, it was fun and took me about five minutes to find.

AnCatDubh

LoLth wrote: »

Yahoo! from earlier this month:

http://grahamcluley.com/2013/09/serious-yahoo-bug/

rewarded a bug-reporter with $12.50 in yahoo store credit for his reported vulnerabilities

At least its better than being stone walled, threatened with legal action, called a liar, insulting your professional capabilities, etc... which we'd often see reported even on this forum -- now this then means that people who genuinely find stuff of potential interest from a security point of view often find the need to go 'underground' in trying to help out a vulnerable site / company.

Should they have given a monetary sum greater than $12.50? IMHO Yes, I think for a company with financial might, they should have given something substantial as per prevailing conditions to reward the individual(s) for their time, thoughtfulness, skills and ingenuity as well as recognising that they've saved the corporate entity from significant (perhaps irreparable) reputational damage. Its not like they'll have to do it everyday (at least you'd hope not).

On the other hand if there was no financial might behind the corporate entity, a small shop, restaurant, or office then a token of goodwill (like a $12.50 tee shirt or a voucher for a meal if it were a restaurant) and to be treated with kindness and respect should be more than enough. But this is off the point somewhat.

But, for Yahoo, at least they've listened and responded.

Khannie

ACD more or less sums it up for me. The 12.50 was derisory. Probably actually worse than nothing.

Personally I wouldn't be inclined to go after bug bounties unless it was in an area that I had very specific expertise. The reason is purely financial - people with similar knowledge levels who can live on less money will be competing against me. Makes better financial sense to use my time elsewhere.

h57xiucj2z946q

boards.ie should run their own. And back date it to include https://www.boards.ie/vbulletin/showthread.php?t=2056582381 !!

LoLth

Aron Mango Actress wrote: »

boards.ie should run their own. And back date it to include https://www.boards.ie/vbulletin/showthread.php?t=2056582381 !!

I bought you a pint as your bug bounty but the post office woman made me drink it before I posted it in case it spilled. Did you get the glass?

h57xiucj2z946q

LoLth wrote: »

I bought you a pint as your bug bounty but the post office woman made me drink it before I posted it in case it spilled. Did you get the glass?

Hahah no, will just have to give the bugs to a more competitive interested party next time!