May 21 2015

Bug Bounties Aren't Always the Best Solution for Software Vulnerabilities

Research finds that this popular approach to software vulnerabilities is only effective in certain scenarios.

Following the past few years' numerous high-profile security breaches, today there is a robust market for software vulnerabilities. As Chief Policy Officer Katie Moussouris of leading security firm HackerOne tells it, the launch of a new software product is the start of a high-stakes race between offense- and defense-minded hackers searching for vulnerabilities, which quickly become available on the market to interested parties, such as governments and criminal organizations.

Understanding the economic forces that govern this market is becoming more critical to the players, especially software manufacturers. Moussouris recently shared the findings of a project that studied the zero-day (0day) market in collaboration with MIT policy researchers Michael Siegel and James Houghton and Harvard policy researcher Ryan Ellis. The key takeaway is that bug bounties have limited effectiveness as a tool for finding software vulnerabilities.

While there is a great deal of support for the concept of bug bounties — rewarding white hat hackers' good work — the vulnerability market cannot be determined by price alone. As computer security analyst Dan Greer noted at the 2014 Black Hat Conference, experts suggest that the government offer large monetary incentives for discovered vulnerabilities — a public bug bounty. The government would then turn these vulnerabilities over to the affected vendors.

But the researchers determined that this approach is unsustainable. The main issue is the nature of today’s 0day market: It is a black market, where much of the buying and selling happens in secret. This secrecy means the market doesn’t attract as many participants as do public bug bounty programs, such as the Internet Bug Bounty program (supported by Facebook and Microsoft), which offers rewards for discovered exploits in a wide range of software, including Adobe Flash, Python and Apache HTTP Server.

If this market were brought entirely out of the shadows through wider adoption of bug bounties, talented developers would have strong incentives to jump into the lucrative bug discovery market, leaving few behind at the software manufacturers themselves to then actually fix the bugs and improve the software.

Moussouris, who built Microsoft’s bug bounty program, goes on to explain that bug bounties have their place for finding bugs quickly in less mature software. But beyond those new releases, using bug bounties as a general approach to finding and fixing software vulnerabilities is not effective.

For the large market of mature software, the researchers concluded that a better approach is to creative incentives for hackers to share bug discovery tools and techniques. Having better tools with which to discover holes is more effective than having more eyes looking for holes.

Moussouris suggests a multifaceted approach for all IT organizations: Augment Security Development Lifecycle programs with individual bug bounties and create incentives for hackers to share tools and techniques.


aaa 1