Extortion or fair trade? The value of bug bounties

Vendors without bug bounty programs risk the wrath of the infosec community, but such programs must be constructed carefully to yield optimal outcomes.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

A security researcher, sitting on what he claims are 30 flaws in various FireEye products, is demanding the security company pay researchers for vulnerability reports.

The confrontation highlights the challenges organizations face when working with the security research community.

Kristian Erik Hermansen initially said he tried to work with FireEye to fix the vulnerabilities -- and FireEye ignored him. "I tried for 18 months to work with FireEye through responsible channels, and they balked every time,” he said, according to a recent post on CSO.

Digging into the timeline, it appears Hermansen notified FireEye that he found serious issues, but demanded compensation. Since FireEye didn't have a formal bug bounty program in place, Hermansen refused to provide further details of the issues and insisted the company first implement a program for paying researchers. That was a little more than a year ago. FireEye learned of the details of one of the vulnerabilities along with everyone else when Hermansen posted information on Exploit-DB and Pastebin over the weekend.

FireEye said it has repeatedly reached out to Hermansen over the past year to learn what sort of information he has, but he kept asking about compensation. Hermansen told CSO he won’t talk to FireEye unless the company pays him. The current price tag is set at $10,000 per vulnerability.

Bounty or blackmail?

Many software vendors find themselves in similar, precarious situations. They want to secure their software, but "do not want to be held at ransom, or have vulnerabilities in their products sold to zero-day brokers,” said Ken Westin, a security analyst with Tripwire.

FireEye was at a distinct disadvantage because it lacked a program for paying researchers for their vulnerability reports. Over the past few years, many companies have started offering such programs, with Google and Facebook as notable examples. After years of Microsoft publicly stating it wouldn't pay for vulnerabilities, it finally launched a variety of incentive programs to work with security researchers. The Zero Day Initiative from HP Tipping Point and companies such as Bugcrowd and HackerOne have made it easier to connect security researchers to companies for rewards.

But setting up a bug bounty program isn’t a simple process, and it's even more challenging for large companies with legacy codebases, multiple product lines, and complex ecosystems, said Katie Moussouris, chief policy officer of HackerOne. They need to have processes for developing more secure software, such as doing their own static analysis, threat modeling, fuzzing, and penetration testing their code. In short, the organization needs to adopt a secure development lifecycle or application security program. Developing a vulnerability response program comes later.

“You have to be testing your own code before you can start [a bug bounty program]," said Moussouris. Otherwise, the company winds up paying out for “low-hanging fruit” or issues its own developers could have likely uncovered.

To continue reading this article register now

Join the discussion
Be the first to comment on this article. Our Commenting Policies