Bug bounty programs: The road to hell is paved with good intentions
Bug bounties are in the news again. Twitter has announced its own new scheme, while Robert Graham of Errata Security claims legal actions brought for loss of personal data will more likely succeed if the service provider does not have a bounty program. Twitter’s bounties start from $140 (with no specified upper limit) – a figure that has been widely derided; while Graham (an expert witness) claims the lack of a program indicates that the breached company has not done all it could to prevent the breach.
Graham’s point of view implies that bug bounties are an effective security process. Twitter’s bounties suggest they need not be expensive. But are these true? I spoke to Ilia Kolochenko, CEO and founder of High-Tech Bridge, a firm that specializes in penetration testing and vulnerability discovery.
“Bug bounties,” he said, “can be an extremely effective tool if they are implemented and operated correctly. The problem, however is that this is difficult to do and rarely achieved; and they can actually do more harm than good.”
The main problem is that once a bounty program is in place, hackers of all type of qualification and ethics consider it a green light to attack the system. The issue here is that these are frequently hackers with very modest or even without experience of professional security testing, who can actually damage the system they are probing. “Checking for XSS is harmless and even without a bounty program I would say perfectly legal if used to notify the vendor,” said Kolochenko. “But in checking for something more dangerous, like SQLi flaws, if the researcher is not skilled enough he could unintentionally delete something or make something unusable by incompetent testing. I am not even speaking about automated tools and scanners that can seriously harm live systems if used blindly. The problem is that quite often crowds of young hackers use a dozen of vulnerability scanners simultaneously to fuzz the victim betting on the quantity rather than quality of security checks.”
In many jurisdictions, SQLi probing could be considered illegal. The presence of a bounty program, however, removes this restriction even for low calibre hackers. High level researchers, added Kolochenko, don’t usually care about bug bounties. “Competent researchers are not usually the people who regularly submit bugs to collect the bounties, simply because that is not their motivation. They may do it from time to time for glory or mainly for fun/challenge, but that’s definitely not their core business/hobby.”
But if we have a situation where the existence of a bounty scheme already attracts potential danger, this is often exacerbated by the bounty itself. Consider the starting point for Twitter’s program: $140. “It’s almost an insult,” said Kolochenko. “Personally I don’t know any professional security researcher who would be interested in digging into Twitter systems for $140 – in fact I don’t know anyone who would systematically do it for $1400 – Twitter is not a small self-written CMS, its audit requires serious experience, qualification and plenty of time, while the time is money. Obviously, people [who submit vulnerabilities to Twitter these days] may be motivated by glory and challenge, but such motivation usually disappears quite quickly.”
In fact, Twitter isn’t even the worst culprit. Hackerone coordinates numerous bounty schemes for many companies; and a quick glance through its Public Programs page shows a large number of very small bounties. While OpenSSL offers a minimum bounty of $2500 and Sandbox Escape offers $5000, Yahoo offers a pitiful $50. Even this, however, is an improvement. You may recall that almost exactly a year ago Kolochenko found and reported four XSS on Yahoo. His reward was a $12.50 discount voucher to be spent in the Yahoo Store – in other words, a tee-shirt with Yahoo’s logo. The public outcry was so great that Yahoo rapidly evolved a new scheme, which it said at the time would start at $150. It seems to have had second thoughts and dropped this to just $50.
Is the solution simply to offer greater rewards in order to attract the more serious researchers? Partly, says Kolochenko – but another issue is the way the schemes are implemented. “The problem is companies think that bug bounties are simply something they can announce and that will be enough.” Management often thinks it’s a good idea that can be handled by IT without any further resources (other than the bounty itself).
This is not the case, says Kolochenko -efficient bug bounty actually requires a dedicated team to handle it effectively. It’s those unexperienced beginners and enthusiasts again. “They’re not always very good at explaining the vulnerability, often just submitting a screen-shot or a raw HTTP request as the only explication and/or proof. The company then has to spend hours trying to work out what they’re trying to say – is it a vulnerability, a weakness, a feature; a false-positive; a third-party software vulnerability; etc.”
An under-resourced bounty team can easily become overloaded and not reply. The danger here, suggests Kolochenko, is that the researcher is easily offended. “OK, if you’re not interested in what we’ve discovered, we’ll swap our white hat for a grey/black hat and talk to someone else who may well pay us more.” So once again, a poorly implemented bounty scheme might end up causing more harm than it prevents.
Moreover, one should not forget that a bug-bounty, even properly implemented, can never replace professional information security services and solutions, but just complete them. Does this mean, then, that bug bounty schemes should be abandoned?
“Not at all,” said Kolochenko. “A well-resourced and implemented bug bounty scheme can be very useful. But it should be considered as part of the company’s overall security posture and planned, implemented and resourced as such.” It is not something that can just be announced and expected to work, but something that offers sufficient rewards (not only financial ones) to attract top-grade researchers. For example, a job offer for the top researcher of the year would be a great motivator for many talented people from developing countries, as well as great benefit to the corporate security. Companies should also clearly understand and keep in mind that bug bounty requires quite serious financial investment, and a team to handle all the submissions. With all of this in place, says Kolochenko, the bug bounty scheme becomes an additional, very useful security layer for the service provider.