Tough bug bounty programs exclude amateurs

Less critical flaws could go unreported.

The number of vulnerabilities reported last year has fallen by nearly a fifth, leaving a majority of users unaware of smaller, non-critical software faults, according to researchers.

HP DVLabs' 2011 Top Cyber Security Risks Report, last week catalogued only 6843 vulnerabilities in internet-based systems, applications and other software, compared with 8502 last year.

Researchers pinned the decline on companies offering more money for information regarding flaws that were more difficult to find, leaving a number of less critical flaws undiscovered.

Other non-critical flaws may have been fixed by the affected companies and not reported, they noted.

Of the vulnerabilities reported, about a quarter were classified as highly severe, attaining a score of between eight and the maximum ten on the National Vulnerability Database's Common Vulnerability Scoring System (CVSS).

Small wins, cleaner code

According to Colin Percival of the open source FreeBSD Project, organisations could weed out more vulnerabilities by offering small payments for the identification of easy-to-find bugs and vulnerabilities,

The FreeBSD security officer and core team member told iTnews' sister publication SC Magazine Australia that despite large bug bounties, complex vulnerabilities tended to draw fewer responses because they took longer to discover.

Bounty schemes that offered rewards for only tough bugs deterred amateurs who weren't prepared to spend days or weeks seeking them, he noted.

“Big bounties are won often by professionals looking at code and while that has value, the open source world has a lot of bug reports from [novices] who tend to just see something wrong and file a bug report,” Percival said.

Last year, Percival altered the bug bounty program for his secure backup service Tarsnap to offer payments for the smallest vulnerabilities and bugs.

“I offered bounties for everything, even typos, so rather than spend a week, people can pick up a few dollars on the way home," he said.

Percival suggested that vulnerability programs may also be improved by dividing large blocks of code into sections that could be more easily read by novices, and including English-language comments to explain what the code does.

“Many people won't read really ugly code," he said.

The HP DVLabs report gathers information from HP DVLabs' Zero Day Initiative, web application data from the HP Fortify Application Security Center (ASC) Web Security Research Group, and the Open Source Vulnerability Database (OSVD), an independent open source database.