Many technology companies are beginning to embrace the concept of bounties to enhance the security of their products, websites and apps. Bounty programs promise a reward to those reporting security issues and are just one of the ways vendors and researchers can interact. These rewards range from honourable mentions, to free swag like shirts, airline miles and even hard cold cash. The type of award and amounts range from company to company, and are usually tied to the severity of the vulnerability.
Part of the bounty process is usually a requirement to adhere to the principle of responsible disclosure — a promise not to publish or disclose the details of the security issue found until the company had the opportunity to fix it. This allows the company to fix the problem with sufficient testing time as opposed to the case where something is already public and there is both public and internal pressure to rush out a fix as fast as possible. In some extreme cases, companies may “gag” researchers by forbidding disclosure all together even after the bug is fixed. Because computer security is an ever evolving field and researchers often learn from previously discovered security bugs, hiding those details is generally not conducive.
Why would a vendor pay bounties?
Security issues have an outsize impact because of the damage they can cause. A broken word processor that eats your resume for lunch affects subset of users. An insecure word processor automatically lets malware in, affects a lot more people. And a broken word processor that is hosted on a server instead of your laptop, can be used as a gateway to burrow into a company and attack other systems inside it.
Because a security bug affects other things on your computer and possibly other devices, it is way more dangerous that a regular one. Additionally, security bugs are highly attractive to attackers because of a larger possible payback for an attack. Another interesting thing that has been happening in the technology world recently is that an underground black market has developed specifically focused on finding, trading, selling and buying security vulnerabilities. The most severe of these are known as “zero days” and impact commonly used software like web browsers. Those often command six and sometimes seven digit payouts. The actors on these black markets often include governments and intelligence agencies.
Bounty programs that are run by vendors are positioned as a safer alternative to the black market with bounty payouts often as high as what the open market commands without the risk or hassle of dealing with the underground economy.
How does the bounty process work?
The bounty process is pretty straightforward most of the time. Usually a company publishes guidelines of how their bounty process works. This includes details as to which systems or products are in scope, what kind of bugs are covered and what kind of testing is allowed or not allowed. Often automated testing is a big no-no, because companies do not want their production systems to go down. There will usually be a way to contact the company, often with the use of email encryption such as PGP. Some companies choose to use third party vendors to administer their bounty programs such as HackerOne and BugCrowd. These third party vendors will take a cut of the bounty payout or get paid by the vendors directly.
A researcher would send data to the vendor via encrypted email or some other method preferred by the vendor. The vendor would acknowledge the receipt and then triage the reports. Often reports may be rejected for a bounty payout because they cannot be replicated, they are out of scope for the program, do not affect a system described in the bounty, or are not severe enough.
Once accepted, the vendor will usually begin an investigation. During this process, which sometimes can last weeks or months, usually there is no more communications between the vendor and the reporter, other than follow up questions, until the vulnerability is confirmed and fixed. Once the bug is fixed and published, the bounty is paid out and the researcher is usually free to publish the details.
The dark side of bounties
While security bounties in theory, enhance the overall security of technology products and services, there are several dark sides to this process as well. First of all, vendors can use the bounty process as a way to influence security research in ways they want. One example of that maybe the use of the “gag” as described above. Another way may be to drag out the evaluation and fixing the potential bug as long as possible in hopes of reducing the amount of bad publicity for the vendor. A more sinister way is the use of legal process including lawsuits, injunctions or in extreme cases even criminal complaints.
Because of the possibly delaying tactics employed by some vendors, there are vulnerability researchers, most notably Google’s ProjectZero, give vendors a hard deadline after which they will publicly disclose the vulnerability (and lose the bounty). This remains a controversial tactic within the community and it remains to be seen whether it is effective.
For the company operating bounty programs there is an increased risk of their systems being breached and going under due to the increased amount of testing, especially brute force and highly automated testing, even if forbidden by the bounty. However, often the advantage of knowing about a security issue and having ability to fix it early will outweigh the potential impact of possible testing.
A more extreme case is sometimes seen where the discover of the security issue blackmail the company outside of any formal bounty program, with the bounty program seen as a sign of the willingness of the vendor to pay up.
Last, there is also an overall commoditization of security research, much alike the various on-demand services that exist today for other things like cars, food, etc. Instead of hiring internal security testers or expensive third parties, bounty programs offer a way for companies to “Uberrize” the security research process by allowing many people to take part of it, but at a lower payout to each. Essentially, they are paying for on-demand security testing but much less than a full-time salary or consultant’s fee would be.
The Future of Bounties
While the proponents of security bounties argue powerfully for their benefits and their opponents argue against them, the jury is still out there of what effect of offering cash rewards has on security research. As more companies experiment with security bounties, it would become more clear whether they are beneficial or detrimental to those companies, their users, the security research community and the Internet as whole.