back to article Roll out the welcome mat to hackers and crackers

A clear and easy to read policy is key to developing a good internal bug bounty program, according to BugCrowd which has published guidelines to help businesses encourage the security community to report vulnerabilities. Bug bounties are an increasingly popular means to provide a legally safe avenue for security researchers to …

  1. John Smith 19 Gold badge
    Thumb Up

    Remember, business people, there're telling you about it because they like you.

    If they didn't the first you'd find out about it would be when exploits appeared and started hitting your (or your customers) bank accounts.

    So make it worth their while.

    And if you're worried that too "generous" a reward encourages people to go bug hunting on your software why don't you institute better development methods to catch them before release?

    This is a Board level issue. Someone saves you a $m+ hit from a hack a script kiddie could mount at any time and you want to hand them a f**king tee shirt? How about $100k instead?

    Thumbs up for some simple sensible guidelines.

    1. Trevor_Pott Gold badge

      Re: Remember, business people, there're telling you about it because they like you.

      "This is a Board level issue. Someone saves you a $m+ hit from a hack a script kiddie could mount at any time and you want to hand them a f**king tee shirt? How about $100k instead?"

      The answer is quite simply arrogance. Given the contempt that a lot of these companies have for their own customers, partners and staff, what makes anyone think that they'd have greater consideration for security researchers?

      The size of the company doesn't matter either. Lots of SMBs - in my experience software developers are the worst for this - believe they simply know better than everyone else. Their vision is so pure, their execution so flawless and their designs so beyond reproach that anyone who questions them is not merely an affront to their genderhood, they are blashemers.

      Consider, for example, Microsoft's approach to the Metro UI. Customers, partners, developers and staff who didn't like it were considered apostates and cast out. That same contemptuous arrogance resonates throughout the industry, ultimately resulting in a - to put things politely - "combative" relationship with security researchers.

      It's also why in-house penetration testing and security research is so often left until repeated failures force the issue: the consideration is not merely one of money or "shareholder value". To accept that such things are required is an painful affront to the ego, self importance and exceptionalism of powerful alpha nerds that run the place.

      It's easy to point to majors like Yahoo! and say "that t-shirt thing was board-level penny pinching", but even with a company that large it isn't that simple. The issue has to be raised with the board. Who is going to do that? The devs? For all the reasons above, that's unlikely. And once it is raised, what is the board going to do...probably talk to the devs and see if it is "really necessary".

      This is why I think the BugCrowd guidelines are a great idea, and something sorely needed in our industry. They are an objective standard that you can present to a board. You can say "here is the best practice, regardless of what the alpha nerds say."

      You will likely never convince the superprogramer owner/operator startups that this is required...but it should help convince companies like Yahoo in the future. Any company where the board isn't made up of alpha nerds with a personal investment in the code itself should be able to be convinced by something like the BugCrowd guidelines.

      It's sad that we need stuff like this...but it is very human that we do.

  2. DavCrav

    @John Smith 19

    "If they didn't the first you'd find out about it would be when exploits appeared and started hitting your (or your customers) bank accounts."

    Pay us or we'll steal from you/your customers? What is the difference between that an extorsion?

    Don't get me wrong, I think bug bounty programmes are better than no bug bounty programmes, but $100k/bug is serious money, and will encourage criminals. Coder puts an obscure bug in code, friend flags it up, $50k each? Easy money. If you think that's unlikely, why do you think it's likely that if security researchers don't get paid big money for bugs they'll sell them to cybercriminals?

    Edit: added a subject because I was obviously too moron to hit the reply button.

    1. DropBear

      Re: @John Smith 19

      Okay, $100K might be pushing it indeed. But the other end is equally ludicrous - t-shirt? Really? There has to be a decent amount of money offered if you want to get good-willing people more interested than black hats will be: less than $1K for a pointing out a potential attack surface is just not realistic.

      1. DavCrav

        Re: @John Smith 19

        "Okay, $100K might be pushing it indeed. But the other end is equally ludicrous - t-shirt? Really?"

        I think the t-shirt might actually be worse than nothing at all.

    2. Anonymous Coward
      Mushroom

      Re: @John Smith 19

      DavCrav, if you have programmers that would do that, you have bigger problems that bugs that an outsider might find.

      1. DavCrav

        Re: @John Smith 19

        "DavCrav, if you have programmers that would do that, you have bigger problems that bugs that an outsider might find."

        My point was, if we think that security researchers are just one slap in the face -- "free! T-shirt! Yay!" -- from becoming criminals, why are all programmers going to be pearly white?

        1. Trevor_Pott Gold badge

          Re: @John Smith 19

          "My point was, if we think that security researchers are just one slap in the face -- "free! T-shirt! Yay!" -- from becoming criminals, why are all programmers going to be pearly white?"

          They aren't. That's why independent security testing is required.

          Insider threats are something every company has to consider.

          1. John Smith 19 Gold badge
            Unhappy

            @Trevor_Pott

            "They aren't. That's why independent security testing is required.

            Insider threats are something every company has to consider."

            Indeed.

            True companies lemming like desire to wire themselves up to the internet has certainly made hacking the in house system a game almost anyone can play but the insiders still have the edge.

            There's an old novel called "The Consultant" in which a bank is scared into conducting a security audit. As the auditors point out the person you have to worry about is already inside. :( .

        2. Captain DaFt

          Re: @John Smith 19

          "My point was, if we think that security researchers are just one slap in the face -- "free! T-shirt! Yay!" -- from becoming criminals"

          No, it doesn't mean they instantly turn criminal*.

          It just means that the next time a major flaw in $Megacorp's system is stumbled across that could embarrass $Megacorp, lose it millions or even destroy the company, they'll just ignore it and go on with their life without the grief of dealing with $Megacorp.

          *And I thought I was cynical!

    3. John Smith 19 Gold badge
      Facepalm

      Re: @John Smith 19

      "Pay us or we'll steal from you/your customers? What is the difference between that an extorsion?"

      I guess you didn't read the rest of what I wrote.

      "This is a Board level issue. Someone saves you a $m+ hit from a hack a script kiddie could mount at any time and you want to hand them a f**king tee shirt? How about $100k instead?"

      The implied but not stated point of that paragraph was twofold.

      1) If a major part of the value your business adds to it's products or services comes from your in- house software that development process (including bug handling) should have Board level representation.

      2)The reward should be proportional to the potential damage. Some would say 10% is not generous. But it depends how bad is the software your company writes.

      Keep in mind time is usually a factor with these things. You seem to be thinking that the first finder who reports to the company is a) The 1st finder ever and b)They will be the only finder.

      Both of these assumptions are naive.

  3. channel extended
    Pirate

    True value?

    The true value of any hack reported is what would it bring on the open market. If someone will pay 10K for a way in to company X and the company will only give 3K then I will sell it on the market. Even if I am only able to sell it once I still make more. Truth is I can probably sell it at least four or five times before it is to widely known.

    1)It's not a question of cost to the company; the size of the bounty.

    2)It is a question of value; how bad the fault is.

    A bad company will only focus on number one. A good company focuses on both.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like