Bug bounty programs are becoming increasingly popular. Under these programs, big organizations offer cash to hackers who discover and report ‘bugs’ in their websites with the purpose of ‘beefing up’ the security of their software – but are these programs really secure?
Introduction
Cybercrimes and hacking incidents have increased by epidemic proportions in the last few years forcing security professionals to put more emphasis on the importance of locating application-layer vulnerabilities. To offer the most secure form of their applications, developers and companies are constantly striving to scan their code and enhance code integrity in the early development stages.
However, one cannot deny the reality that no application is fully bug-free and as such external scrutiny is always an add-on!
This is where bug bounty programs come into play. While these hacking programs often produce alarming scenarios that ultimately end up preventing widespread harm to companies and customers, the security aspect of these programs has always been under suspicion.
Companies that are already running such programs, including Microsoft and Facebook, say that the bounty programs make their products safer. Adam Mein, a security program manager responsible for the Web Application division of Google's Vulnerability Reward Program says:
"We get more bug reports, which means we get more bug fixes, which means a better experience for our users. We also develop positive relationships with the researchers who are finding these bugs."
Bug Bounty and the Security
Big organizations that make bug bounty payouts to the hackers play safe. The security of their company’s information and that of their customers are their prime focus. This is where Zero Day Initiative (ZDI) comes in. These programs offer security researchers big cash rewards and positive recognition for reporting security flaws with the aim of making the internet safer for everyone.
Aaron Portnoy, who manages the ZDI comments: "Every year we report hundreds of vulnerabilities to Microsoft and Adobe for free. If the vendor doesn't have a patch ready in six months, we release the details of the exploit publicly. We put pressure on vendors to fix these problems".
An important issue that arises here revolves around double-dipping, wherein a hacker might collect a prize for reporting a bug, and then sell the same information to malicious buyers. How can Google and ZDI prevent double-dipping? The answer is…they can't.
Every organization that runs a bounty program maintains an honor system, in which it excludes hackers who double-dip. For instance, Facebook opted a completely different way to identify this problem and work to overcome it.
Facebook was one of the first organizations to publish a policy intended to help the hackers feel more comfortable in reporting the bugs they discovered and to ensure security: “We encourage security researchers who identify security problems to embrace the practice of notifying website security teams of problems and giving them time to fix the problems before making any information public. To make researchers feel comfortable bringing issues to our attention, we have adopted the following responsible reporting policy:
If you share details of a security issue with us and give us a reasonable period of time to respond to it before making it public, and in the course of that research made a good faith effort to avoid privacy violations, destruction of data, or interruption or degradation of our service, we will not bring any lawsuit against you or ask law enforcement to investigate you for that research.”
It also ensured that any hacker violating this policy would be punishable under the lawsuit. Similarly, almost all the other organizations offering bug-bounty programs run a ‘responsible non-disclosure policy’ agreement to prevent the chances of double-dip.
However, in the long run, the bounty payers hardly worry about the possibility that the hackers may pass known bugs or security information to bad guys, as those vulnerabilities will become out-of-date in the next patch. The immediate response and repair of these bugs is the reason behind the safety of these bug bounty programs.
The philosophy of bug bounty programs follows thus: catching hackers is too difficult, so it’s better to make sure that the house is secure. The web is unidentified and targeting hackers is too difficult. While hackers cannot be trusted, it’s a lot easier to just eliminate the bugs and the exploits.