Bug bounties: 'Buy what you want'

HackerOne CPO and former Microsoft security expert Katie Moussouris says bug bounties are valuable to product development -- but there are certain steps necessary for success.
Written by Charlie Osborne, Contributing Writer
CANCUN, MEXICO: Bug bounty programs are popular, but what does a company need to do to make them a success?

Katie Moussouris, Chief Policy Officer at HackerOne and former security expert at Microsoft and Symantec, told attendees at Kaspersky Labs' Security Analyst Summit that while bug bounties are not "one size fits all" solutions to security flaws, the concept is important in the security development cycle.

Bug bounties are programs designed for security researchers to submit flaws and vulnerabilities they have discovered in a firm's software, most often for attribution and a cash reward. Microsoft, and Google are well-known companies which issue rewards -- although in Google's case, if the Project Zero team reports a flaw to another company and within 90 days it is not fixed, such vulnerabilities are publicly disclosed.

Using the example of her former employer, Microsoft, Moussouris recalled how the Redmond giant once famously said it would "never pay for bugs" -- but if aligned with engineering goals and the proper incentives, bug bounties can prove to be a boon for both the business itself and end users.

Microsoft never used to pay for bug bounties -- after all, why would the company do so when they were reported for free? In the past, security researchers would report their findings without money changing hands and would enjoy the citation -- a boost to reputation being the reward in itself. However, times have changed.

The Redmond giant has now paid out over $300,000 in bug bounty rewards, and Microsoft is willing to pay up to $100,000 for "novel" exploitation techniques -- and defensive solutions -- against the latest version of the Windows operating system, according to Moussouris.

After Internet Explorer 10 left the beta stage, Moussouris says there was a big spike in vulnerability disclosures. Why? Throughout the beta stage, there was no incentive for developers to report their findings -- as they would not be attributed in a security bulletin and the bug might vanish anyway.

In total, there were 23 submissions -- including 18 bulletin-class issues and four sandbox escapes. While each bulletin-class flaw goes for six figures apiece on the black market, Microsoft paid out $28,000 in total, with an average payout of $1100 per bug.

A small amount in comparison to black market sales, to be sure, but there is now a legal and growing market for security researchers to spend time poking holes in software, rather than risking arrest through black market deals.

Bug bounties cannot replace penetration testing; nor are they necessarily cost-effective. However, if placed in the beta stage of software development -- where you have only one buyer for vulnerabilities -- Moussouris says this helps companies engage with the research community while "aligning with product engineering timetables," as well as disrupt the black market for vulnerabilities itself.

"A bounty is an incentive; buy what you want," the executive said.

In other words, including bug bounties in early stages of software development can save companies many a headache later on. Moussouris says if you do not feed bug bounty results into the development cycle properly, you end up playing "whack a bug" -- which we can see with a number of tech firms, such as Oracle and Microsoft, which constantly deploy fixes for security vulnerabilities.

Instead, companies should implement and evolve the security development lifecycle of a product based on early bug bounty results -- and avoid dealing with singular flaws individually later in the game.

In order to make a bug bounty program successful, Moussouris suggests that companies coordinate bug bounties with the customer in mind. If a bounty program is launched throughout the beta stage of product development, the end result should be improved and therefore better for a firm's market -- and customers.

The security development lifecycle should be the source of heavy investment, and takeaways from bug bounties should be fed into the cycle in real-time -- rather than leaving vulnerabilities open until the next patch date scheduled.

In addition, the executive said companies should always have a front door for external researchers to report vulnerabilities, and everything in between -- from communication, triage and issue mitigation -- should be clear and efficient.

However, Moussouris also noted an area which needs immediate adjustment -- the fact that security researchers may shy away from reporting bugs and vulnerabilities due to fear of prosecution. The executive told attendees that even bug bounty programs do not stop researchers from being prosecuted, and security experts must be able to come forward "without fear of imprisonment" if our product security is to improve.

Disclaimer: Kaspersky Labs sponsored the trip to the Security Analyst Summit 2015.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards