As cybercrime continues to evolve, companies are always looking for ways to improve software security. One practice that has risen in prominence in recent years is paying out financial rewards, or “bug bounties,” to independent researchers who discover security vulnerabilities. A recent Wired article took an in-depth look at this practice to assess the effectiveness of corporate programs that pay for discoveries.
Profile of a bounty hunter
While the security enthusiasts hunting for weaknesses in software such as Mozilla’s Firefox browser are not exactly the Hollywood ideal of a gun-toting bounty hunter, they can still reap significant financial rewards. Wired profiled one computer science graduate who lived for a year and a half as a freelance bug hunter before finding full time employment doing malware analysis. The bug hunter, Abdul-Aziz Hariri, earned more than $50,000 in his first year of submitting bug reports to HP TippingPoint’s Zero Day Initiative (ZDI) program. Programs such as HP’s pay anywhere from $500 to $60,000 per bug.
Facebook, for example, generally pays $500 per bug but has paid as much as $10,000 for major discoveries. Google’s Chromium program pays between $500 and $1,333.70 for bugs found in the company’s Chrome browser, while advanced bugs in Google web properties can fetch as much as $20,000. The web giant’s Pwnium contest, which requires researchers to not just find a vulnerability but also submit a working exploit of it, offers awards ranging from $20,000 to $60,000.
The HP Tipping Point ZDI program has processed more than 1,000 vulnerabilities and paid out more than $5.6 million since its introduction in 2005, Wired reported.
By offering such rewards, companies hope to deter researchers from turning to the open market, where exploits can command higher prices. Some third-party firms make a business of selling flaws to corporations or governments, and exploits naturally command value from illegitimate sources. Some experts have suggested that the trade in software security exploits is growing and could pose a cybersecurity risk, Harvard Law School recently reported.
Worth the cost?
For companies using bug bounties to fight back against this risk, assessing the financial benefits of doing so is important. According to Wired, there is no data to support the claim that bug bounties reduce vulnerabilities, but anecdotal evidence from security experts suggests this is the case. Companies such as Google have claimed that the number of incoming reports in bug bounty programs has decreased.
Large companies using such programs supplement them with security researchers of their own, and many businesses hire third-party auditors. However, independent bounty hunters can offer a different perspective.
“The advantage of the program is if some new tactic or technique comes out that we don’t know about, we can guarantee that someone that wants to earn a bounty will know about it,” Facebook Chief Security Officer Joe Sullivan told Wired.
Such programs require companies to already have robust software security, though, experts explained. Companies need to ensure that they have security staff on hand to address potential bugs and that they are offering a mature product in which flaws have already been minimized. For most organizations, code analysis offers a far more viable solution to strengthen software, or at least harden the code before releasing bug bounties on it.
“You do want to have a decent-size security team before you undertake this, and you do want to make sure that you’re fairly confident your products meet a reasonable level of robustness,” Google information security engineer Chris Evans told Wired.
While bug bounty programs can improve software security, they should complement existing measures such as a secure development process that includes code analysis.