The flip side
Though Sullivan says Facebook's bug bounty program is only making the company better, such initiatives have been the source of controversy among some members of the security community.
Adobe, the San Jose, Calif.-based firm that makes the popular Reader and Acrobat software, does not believe providing cash rewards in return for vulnerability details is the best way to protect its customers, says Brad Arkin, the company's senior director of product security and privacy. Doing so could cause firms to focus too much attention on offensive protections, and, as a result, neglect research investments for exploit mitigation techniques.
This imbalance, “can lead to an unhealthy ecosystem where there are too many people looking for problems with too few people looking for ways to solve or defend against those problems,” Arkin says.
Tim Stanley, director of information and infrastructure security for Waste Management, a North American provider of trash removal and recycling services, says he is “on the fence” about bug bounty programs. While he doesn't totally oppose them, he says such endeavors may cause companies to expend too much of their resources fixing old software, rather than innovating for the next versions.
“Every company has a finite set of resources,” Stanley says. Time and money may be better invested in efforts to ramp up secure coding efforts, which are more proactive, he adds.
Instead of providing cash rewards for product deficiencies, Adobe invests resources to test its products for flaws, both internally and externally, through consulting engagements with the security research community, Arkin says. But even so, the company “greatly values” the help of individuals who disclose issues in its products and credits bug finders in its security bulletins.
Mozilla's Sterne says name recognition in itself is extremely valued by security researchers since being credited with finding a flaw in a major site or product is invaluable for the résumé.
Still, a simple “thank you” can only go so far. Researchers have increasingly become fed up with vendors who expect them to disclose flaws for free. In 2009, a group of researchers, including Dai Zovi, started a movement called “No More Free Bugs,” arguing that the reporting of flaws should no longer be given away at no cost.
Mozilla, for one, last July upped the price of its bug bounties from $500 to $3,000.
“We realized there is a big business here,” Sterne says. “There's a lot of money being made on the black market for this type of research.”
Google quickly followed suit, raising the top reward for holes in its Chrome browser from $1,337 to $3,133.70. Since launching its vulnerability rewards program last year, Google has paid out a total of a half-million dollars in prizes.
But even with the price increases, it is often hard for researchers to make a good income from bug disclosures alone, Dai Zovi says. Such a conundrum may lead these individuals to the cybercriminal underground, where highly exploitable vulnerabilities have been sold at auction for upward of $100,000, experts say.
Selling a bug on the cybercriminal underground, however, is a whole different ballgame.
“If you were a black market security researcher discovering exploitable security bugs in software products, you would have to weaponize the exploit, which means setting it up so it is easily deployable and ready to use against consumers on the internet,” he says. That takes a significant amount of work, he adds, and involves first finding the bug and then weaponizing the exploit.
Companies that offer bug bounties only require submitters to find a flaw and demonstrate that it is exploitable. In the end, the question of what to do with a previously undisclosed vulnerability really comes down to the individual's motivation and moral standards.
But knowing about the active black market economy for bugs, software vendors themselves commonly troll cybercriminal forums looking for discussions about vulnerabilities in their products, experts say.
Patching the holes
While vendors are, more than ever before, actively looking for and soliciting bugs, some say they should be more transparent about the issues that are discovered, and provide fixes in a more timely manner. Affected vendors still sometimes wait months – even years – to remediate security issues that are privately disclosed to them, says Dan Holden, director of security research at the Digital Vaccine Laboratories at HP TippingPoint.
“There is no good reason why a vulnerability should take two years to patch,” Holden says. “If you know about a vulnerability, there is a high likelihood that others do as well.”
To encourage vendors to provide patches in a more timely manner, HP TippingPoint last August changed its ZDI bug bounty program, giving affected companies a deadline to provide a fix. If a flaw isn't remediated six months after being disclosed to the vendor, ZDI will now publish limited information about it, as well as mitigation information.
In addition, last year Google called on companies to fix flaws within 60 days, and announced it would publicly disclose issues its researchers discovered if the affected company does not provide a fix within that timeframe.
“Private vulnerability disclosure was, at times, allowing bugs to remain for long periods of time, even when under active exploitation,” Adam Mein, security program manager at Google, says of the company's rationale to impose a deadline.
Such delays have, understandably, been the source of incredible frustration for researchers and security professionals at end-user companies, such as Waste Management's Stanley. Users expect safe, functional products and it's up to the vendors to provide that, Stanley says.
“I suspect some companies fear that if customers know there is a problem with their product, that people won't buy it,” he says. “I'm more likely to buy a product from a company that I know is open and transparent about the issues because it's somebody I can trust.”
But while vendors, researchers and end-users still commonly butt heads about vulnerability issues, most can agree that the existence of flaws will be an issue for the foreseeable future, and working together to combat them is imperative.
Building on the early success of its bug bounty program, Facebook's Sullvan says the company is planning to expand the initiative to pre-production code. Currently, Facebook only provides bounties for vulnerabilities discovered in code that already is in production. At some point in the future, it plans to begin asking researchers to review code that has not yet been released, Sullivan says. Google also says it plans to expand its list of products eligible for bug bounties.
“The security community is a really powerful, amazing group of people that is bigger than we thought,” Sullivan says. “There are lots and lots of people who care about this, if you're willing to talk about flaws. We need to have an environment where people are really open to getting better.”