Bug bounties have bugs of their own
SAN FRANCISCO—Growing pains are attacking bug bounty programs much like horse flies attack East Coast beach visitors in late summer. They pester and bite, and they aren’t easily swatted away.
Bug bounty programs, which are built on vulnerability disclosure agreements coordinated between sponsor companies and hackers attracted to the possibility of fame and cash payouts for their research, have yet to implement adequate legal protections for hacker participants, says Amit Elazari, a University of California at Berkeley Law doctoral candidate and expert in the legalese behind bug bounties.
Today’s bug bounties often also create an incentive structure that emphasizes headline-grabbing payouts over actual consumer security improvements, warns Katie Moussouris, CEO of Luta Security, who has spent more than a decade working on coordinated vulnerability disclosures and bug bounty systems.
READ MORE ON VULNERABILITY DISCLOSURE
What’s in a bug bounty? Not extortion
How to attack security issues like Google and Microsoft just did
Bug bounties break out beyond tech
The dark side of bug bounties
As bug bounties proliferate, hacking contests maintain strong pull
When to disclose a zero-day vulnerability
Elazari and Moussouris respectively presented their latest findings at the simultaneous hacker and cybersecurity conferences BSides and RSA, held in San Francisco this week.
Only four bug bounties have legal “safe harbor” terms for bug hunters and researchers in line with the Department of Justice framework, Elazari says, which could expose them to legal action, including lawsuits. She worries that getting vendors and bug bounty management companies like Bugcrowd and HackerOne to change won’t be easy because platforms can’t force their clients to change terms.
“I think that if the best hunters mobilize and decide they’re not participating in programs lacking safe-harbor terms, then you create an effect on the whole market,” Elazari says.
The issue of protecting hunters and reporters is serious enough that the Center for Democracy and Technology published on April 10 a letter signed by nearly 60 researchers and journalists asking vendors to stop suing them for disclosing vulnerabilities.
Elazari points to an incident last November between Chinese drone maker DJI and a security researcher as a prime example of how signing a bounty agreement doesn’t provide legal protection—even from the company offering the bounty.
DJI threatened to sue independent security researcher Kevin Finisterre under the Computer Fraud and Abuse Act after he found vulnerabilities in the company’s code when participating in its bug bounty. In response, the researcher went public with the company’s attempts to intimidate him, warning other hackers about its practices.
While hackers remain exposed to potential criminal and civil lawsuits, bug bounties remain an appealing path for hackers to test their mettle. Economic incentives play an important role in the development of bug bounties, as evidenced by ever-increasing bounty payouts—Google and Apple now offer $200,000 rewards for their hardest category of bugs to discover—and the massive amounts of cash being invested in bug bounty management platforms built by Bugcrowd and HackerOne.
“Hackers are earning more because they’re getting more creative,” says Casey Ellis, CEO of Bugcrowd.
Both companies say they reward hackers with an average bounty payout of $590 to $600, up from $500 two years ago. And both companies recently completed Series C investment rounds: $40 million for HackerOne, and $26 million for Bugcrowd.
Many industry observers can easily point to the Uber case from last November as misuse of a bug bounty, when the ride-sharing company revealed that it had hidden a data breach affecting 57 million users and drivers through a bug bounty payment out of the scope of its legal terms.
During Congressional hearings in February, Uber admitted that it had been extorted, and earlier this month, the Federal Trade Commission castigated the company for “misleading consumers” and violating its 2017 consent decree. The FTC has submitted an expanded version of that decree for approval.
Moussouris argues that bug bounty sponsors are misusing the programs in ways other than violating their terms. When at Microsoft, where her work was instrumental in getting the company to modernize its relationship with independent security researchers, and led to its first bug bounty in 2013, she found that independent researchers working on newer, in-development versions of its Internet Explorer browser would hold reporting bugs until after it became available to the public because they wanted the recognition in a company bulletin, a move which inadvertently put consumers at risk, she says. Microsoft responded by creating a bug bounty for the beta version of the browser to give researchers the recognition they wanted and protect users in a more timely manner.
Many of the bugs organizations learn about through these programs are “low-hanging fruit” such as cross-site scripting (XSS) vulnerabilities that they could easily have caught and fixed themselves, she adds, through adequate internal testing. And many of the bugs discovered through these programs are not being adequately addressed in a timely manner.
“There’s a difference between paying for bugs, and actually becoming more secure,” she says. “Most vendors struggle to deal with the vulnerabilities they already know about through traditional means.” For eight months, for example, Panera Bread essentially ignored a vulnerability report a researcher had submitted to it in good faith—until it received a public drubbing over it.
That kind of response from an organization to a vulnerability disclosure would violate legislation proposed by Sen. Mark Warner (D-Va.) that would create a national vulnerability disclosure standard.
Mårten Mickos, CEO of HackerOne, says patching newly discovered vulnerabilities is paramount for organizations participating in bug bounties.
“When you find them, you have to fix them,” Mickos says. But that doesn’t always—or even often—happen. And until organizations devote resources to vulnerability patching, as well as vulnerability discovery, low overall prices per vulnerability won’t motivate more talented hackers to sign up.
In a new bill passed by the U.S. Senate that allocates $250,000 to establish a Department of Homeland Security bug bounty, there are no requirements to patch the vulnerabilities reported to it except to detail “remediation plans.” Vulnerabilities could legally continue to go unpatched for many months.
Brian Gorenc, the director of vulnerability research and Trend Micro’s Zero-Day Initiative, which runs the annual Pwn2Own hacking competition and has been involved in the bug bounty marketplace for 10 years, says that while the bounty market is growing, organizations need to be better about patching the bugs they receive.
“The idea is for the programs to fix bugs, not to hide things. People running the programs need to be ethical,” he says.