Companies are afraid that offering large sums of money would attract more attention to exposing their incompetence !
Hunting for exploitable security bugs in software is not an easy way to make a living, and vulnerability researchers say vendors who don't pay out for reports are making life even harder while putting their own products at risk. Such was the case with João Figueiredo, a researcher in Brazil who tracked down and reported remote …
Better than the other way of exposing their incompetence* which is to have all their customer details stolen or their website brought down. I know which I'd prefer.
*Incompetence is a little harsh, I suggest. All software of any size has bugs and vulnerabilities, doesn't matter who you are or how good your programmers are - nearly all are human after all. I would suggest that the security teams for many companies would have a say over bug bounty programs and these very teams are the ones who don't wan't to attract large scale attacks on their systems by researchers which may or may not decide to claim a bounty via the official route if they find something significant.
If the ethical bug hunter finds a bug, properly reports it, & gets nothing from the folks it was reported to, then the ethical hunter will stop hunting for your bugs & go elsewhere.
The unethical hunter may start by letting you know & expecting to get paid, but getting rebuffed (or given swag as an insult), then the unethical hunter will instead turn to selling said bugs on the dark web hacker fora. You don't pay them then perhaps someone else will & not for very nice purposes.
If you ask mechanics to review your car & make sure it won't go up in flames, then refuse to pay them for their time, the honest ones will refuse to do business with you in the future & the dishonest ones will "find nothing wrong" to your face & promptly take full advantage of any flaws they DO find.
Don't insult them by offering swag, pay them what their efforts are worth. You pay them, they'll keep hunting for bugs, & your product will become safer/more secure as a result. Insult their intelligence & they'll still find the bugs, they just won't *tell you* about them.
"It would be as if a mechanic walked up to your car to do an inspection..."
O.K. but, it's by regulation that inspections and emissions tests are mandated (under various circumstances).
And, when (or if) we get self-driving cars, are their going to inspection requirements to make sure the code is appropriately patched to insure that other cars and passengers on the road are not endangered.
The more that we come to depend upon software, the more there will come to be a mandate for safe software that does not endanger others. It will be interesting to see what happens to the bug-hunting market then.
A completely accurate analogy is hard, but it is something like if a mechanic approached me and informed me that my car had a serious fault with it, and explaining why. Depending on the details, I might not care that much or I might be very interested in the risks. In the latter case, I'd be grateful that I was able to avoid the negatives and I would offer said mechanic some recompense for the useful service they provided. In the other case, I'd not do very much. However, it sounds as if the bugs found were considered very important, so a shirt, which is the equivalent of a thanks from me, seems less than justified..
Bug-bounty programs are difficult to structure, manage, and budget for. With large organizations it's extremely difficult to accurately estimate how many unsolicited reports you'll get from outside researchers over a year. The value of a report is difficult to determine: computing metrics such as CVSSv2 or v3 scores is rather subjective, the security sensitivity of the product and exposure to customers has to be taken into account, the development team may claim to have been aware of the issue already, and so on.
Sometimes you get multiple reports from independent reporters. Sometimes reports are simply incorrect, or refer to old product versions which are no longer supported, or only apply to configurations which are specifically documented as insecure.
With a large organization, getting agreement on bounties across all units is difficult. Should all products have similar bounty structures? What about reports for vulnerabilities in public-facing websites? Or in infrastructure? To get any sort of consistency you need clear direction from the C-suite level.
Often a PSRT can quite easily get approval for swag, but getting a bounty program in place can take years of lobbying top executives. You do what you can.
And some big companies just don't listen or have an interest.
We got DOSed by Google 2 years ago. Probably a poorly configured server in their California server farm. It was pushing 100mbps down our 10mbps pipe.
Emailed the abuse and webmaster addresses as a first step, both got an automated reply saying that they get some many abuse reports that they never read any emails going to those accounts...
Tried phoning them, but after being pinballed back and forth through their automated phone system, the best information I could get was to check the Google website for the relevant category (they don't have a page dealing with being attacked by Google), before the telephone system tilted and kicked me out.
Tweeting Google, pleading with them to stop DOSing up didn't bring any response either.
In the end, we got a 30 day block at the ISPs perimeter. We were in the middle of moving anyway, so we just abandoned the old IP address and moved over to a new one at the new provider.
Quoting Anonymous Coward:
"I quit reporting vulnerabilities years ago - it's hard to get anyone to listen to you - most of the time you are ignored."
You're absolutely right AC, my experience is exactly the same, but I still go on reporting. For example I've been reporting to Exertis, British Gas, the BBC and the DVLA, all for over a year. Nowadays though, as they've ignored me, I just like to drop the names...
Ooooh - I forgot to mention The Register! (Guys, see my mail sent to you at 18:37 on 15 Sep 2017.)
In that case, you *do* report them... to the press.
But only after making sure you have your back very well covered, and they can't find out who you are.
Sadly, as we know all too well from experience, many companies not only don't care about such things, they strongly dislike being made to look bad and will actively attempt to have those reporting such vulnerabilities portrayed and/or prosecuted as "hackers".
will actively attempt to have those reporting such vulnerabilities portrayed and/or prosecuted as "hackers".
Years ago, when open FTP was still a thing (don't tell me it still is) I went onto a download site - a Norwegian Universtiy IIRC - and realised that I'd just cd ..ed past my original access directory. And then realised I could keep going. Maybe to / if I'd tried.
Maybe I should let them know. Maybe not. I decided "not" would be easier.
Here's a question for you. Have you ever been excited or even generally pleased about a free shirt from a company or event? For me, they've ranged from "Well, now I have another shirt" down to "Well, now I have another thing to wear if I decide to paint". That's without considering the possibility that I might not want someone else's logo displayed on my person. Of the many really cheap things you can make a bunch of and give to people, most are more generally useful.
Oh, and the bug finders don't need more shirts, people. I thought you could figure that one out. They've saved you the time and money it would cost to find the bug yourself or to deal with whatever problem would occur if someone else found it and sold it on the dark web. Show them some respect by giving them a small amount of that.
My Microsoft Internet Explorer 3.0 Midnight Madness t-shirt - I was very excited to receive that one lol. Four downloads over a 56k modem, three eventually failed, no auto-resume... yeeeah... Have a Netscape Communicator one I'm pretty fond of too.
That being said, most of my wardrobe consists of free tshirts from various companies, but I don't have to work for them - you have to pay to make me look at your network. Til then, don't care. No time.
>Still have my Windows 2000 System Builders t-shirt around somewhere..... Covered in paint and oil....
I think you might ave been building it wrong.
Or I'm parsing it wrong and MS delivered a version of their best OS for the construction industry - did it come with a bum crack ?
I once did a consulting stint for a large company with a famous name & easily recognizable logo. They gave me a company shirt as a thank you gift. I thought nothing of it at the time, tossed it on the pile of all the other shirts, & ignored it.
Fast forward a year or so & I'm no longer working there, but I still had the shirt. I'm wearing it on a day off (because it was a nice & warm shirt on a chilly day) and walk into a local electronics mega store. I get grabbed before my eyes have adjusted to the light & someone is howling at me "It's about damned time! We've got a real shit storm headed our way & it's all your fault!"
I politely extract myself from their clutches & ask them WTF. It turned out that they thought I worked for said company *because I was wearing an official company shirt*. I explained that I didn't work there, I merely had the shirt.
It turned out that the store was having serious server issues & had called in a scream for help from the company. They thought *I* was the rep sent out by the company to help them. Had I felt like being a right bastard I could have pretended to be said repair tech, gained access to their servers, & caused such destruction that the store might never have recovered. Instead I told them the truth. They were confused, annoyed, then sheepish. I was given a ten dollars off coupon in thanks that I had *not* pretended to be what I wasn't. The real rep arrived while I was still beside the door being grilled by the manager. The real rep looked confused. "Are you here from $Location office? I'm from $OtherLocation."
I explained the situation, that I was just a regular guy that once worked for the company & still had the shirt. The real rep laughed, nodding his understanding, & scampered off with the manager to get shit done.
Don't hand out official company shirts to folks if you aren't sure those shirts won't be improperly used. All it takes is one case of mistaken identity & your company might find itself up to the neck in repercussions. =-|
I once did an event for my company where the uniform they gave us for the day was a bright orange polo shirt. I made the mistake, on my way home, of stopping at Sainsbury’s to grab some groceries. What is (or was at the time, I’ve not been in there in years) their corporate colour? Yes.
I got asked by so many people for help finding things (“Do you have this bean lard mulch with vitamins?” “Do you have smaller spoons?”). If I were in a bad mood I could have caused so much damage to their customer service reputation that day...
You don't even need an orange shirt. Once upon a time we all wore suits to work, but not many suit-wearers went to the supermarket*. I've been taken for the Manager** more than once.
* In the sticks, that is. Probably different in a city.
** Perhaps I used to buy the sort of crap suit that a supermarket manager would wear.
Some street theatre group did that with BestBuy in New York
They dresses people up in blue polo shirts (without logos) and khakis and had them walk into the store a few at a time until the store had 100 apparent employees.
It got even weirder when the police were called and tried to work out who/what/why to arrest
Why would you want your friend to advertise a company (via his t-shirt) that you don't have much respect for anyway? It's not like t-shirts are worth that much in themselves...
Unless he uses it for DIY et al for years until it looks dreadful (like my Dad's ancient "Amersham" sweatshirt) then goes around wearing it in public, making Sony look bad by association. :-)
..is why the Sony Pictures Hack happened. Cause they simply don't give a fuck.
I got offered free magnets from a very small online store, years ago that wasn't using HTTPS on their store page & I wanted to order from them due to being the only ones that sold the tiny powerful magnets to stick in models :)
Free magnets. Great.
Anyway. Others I've reported I've just been ignored but then seen them fix said issue a few days later. Another company replied back quite defensive who, it was clear, had been running unsecure for years from the previous owners. And local gov and other small companies use this site! They've fixed some of the reported issues but not the rest and then stopped replying to my e-mails. And the biggest one that was ignored was Twitter. I reported to them years ago, once signed in, if you went to reset your password, their code would sometimes push you to a http page instead of https. I reported it, was totally ignored so I disclosed the issue on YouTube. A tech and security journo picked the story up and they listened to him (I'd never heard of the guy, I just happened to come across his blog post one day) and he put in a mention that I'd reported it and been ignored.
I don't really bother much now.
It still shocks me that a large number of rewards on Bug Bounty lists are nothing but 'Hall of fame' or 'Swag', or neither at all. It's genuinely insulting to people that have spent time (and often money) learning these skills, only to be rewarded with a T-shirt or mention on an unadvertised web page. Why would anyone want to find a bug in your system or code just to be condescended by unenthusiastic "rewards".
I understand that some people do it for fun, and that is fine of course, but companies offering no genuine reward for help potentially saving them millions are probably the same ones that expect employees to pay for their own coffee in the office.
There could be a lot of benefits in having publicity. Don't publicize the errors much, just say that they were fixed, and the person reporting them got $large_amount_of_money from you. That attracts others to try to find vulnerabilities in your system so they can get $large_amount_of_money too. Not that you always pay them a large amount--that depends on the scale of the bugs they found for you--but if the bugs were indeed critical, they deserve it and you can use it.
Based on my experience with Sony Mobile and Sony Bluetooth I am never going to buy their hardware again. Its buggy and unstable. I am not surprised to read about this reaction about when bugs are discovered. At best, Sony Mobile fixed a bug that resulted in a crash when the Wi-Fi interface was in Icelandic on Android 8 on Sony Xperia XZ Premium. Other bugs (unstable Wi-Fi) were not fixed.
My boss got a Sony Vaio many years ago, and the motherboard blew on it. Thankfully it was within the warranty period. The downside was the boss had been storing all his photographs on it, in a non-backed up area. Next problem- the hard drive was not accessible without dismantling the machine (first for me). I rang Sony support (after paying for the privilege) to be told by a passive aggressive little shit, that I was to backup any data before returning it to them as the drive would be blanked; and that opening the machine to get at the drive would void the warranty. I kept pointing out that the motherboard was fried, but he just kept repeating about backing up and voiding the warranty.
In the end the boss decided that the photographs were more important. And he also issued a decree that the company was not to buy any more Sony products.
Your boss is a $@% - any idiot that does not back up stuff deserves to lose stuff. Any puter can suffer a failure and laptops often need to be pulled at least partly apart to get the hard drive. If you can't afford to lose it, and you don't back it up, cry quietly in the corner somewhere.
I found a corruption similar to CloudBleed while tracking down a race condition with our SPA communications. The problem was most likely caused by an obsolete Cisco web appliance, but some chance it was IE11, and a small chance that it was CloudFlare.
CloudFlare use HackerOne but don't seem to offer a bounty from what I could tell.
Why would I waste time tracking down the root cause without getting paid? I get paid in my job to find bugs, and fix them. I don't do it for free, and I certainly don't need kudos or T-shirts.
So the vulnerability is not notified - everyone loses.
I have some idiot continually trying a dictionary attack on one of my servers, and I get zero response from their ISP or the one upstream. Their problem: they're in Europe, so I'm collating the logfiles and then send it on to the local police.
And filter out that IP address, of course.
Look... if a company doesn't have a published policy for bug bounties, then you aren't likely going to get anything but swag--if that.
The InfoSec organization in the company doesn't have funds set aside for bounties, and they can't just give money to someone--even if they want to.
So if you're trying to make a living doing this, then search for those businesses with a published bounty policy.
As he sits at his computer in a Sony tshirt, a young man who feels he's been screwed post on the dark web many weaknesses in the Sony website he hadn't disclosed yet. Sony I hope someone reads this because it can happen. They might not hack you but instead pass the gun to someone who without hesitation will hack your site and do other things if their is a way from the site to other parts of Sony. Hell letting loose a crypto program so the server is all but bricked might make them put a few thousand out of their tightwad wallets to actually show a bit of gratitude to the people that are doing this great service for them and not spit on them by sending them marketing materials. Only a stupid person would think that was appropriate. Hell if not cash send them at least the latest PlayStation or are you to cheap for that. Well when they get hacked so big their website is down for days or even weeks then they'll pay more for what they should have paid up front.
Biting the hand that feeds IT © 1998–2019