Bug catching activities beneficial, but obstacles exist

Rewarding security researchers to spot Web site bugs and loopholes a "positive" endeavor, but safeguarding data privacy and negotiating different regulatory regimes may prove challenging, observers note.

Bug catching activities such as cybersecurity contests and reward programs to spot security loopholes within the company's Web sites can minimize post-breach consequences, state observers. They did warn that site operators could such activities could run into privacy and regulatory hurdles though.

Tech companies have been holding bug bounty programs that reward researchers who discover vulnerabilities on their Web sites and report them responsibly with money for some time now. PayPal launched such a program last month, while Google and Samsung have also implemented similar initiatives. Michael Barrett, chief information officer of PayPal, said in a blog post the experience has been "very positive" since it was launched.

A Facebook spokesperson also told ZDNet Asia that it does not have cybersecurity contests to test its site's security standards. It does, however, have people who have made responsible disclosures of security loopholes and vulnerabilities they see and who are known as "white hats", she added.

It is this responsible disclosure of site bugs and security vulnerabilities that allows vendors and site operators the opportunity to fix these issues and minimize the potential impact, thus stopping cybercriminals from claiming more victims, Carl Leonard, senior manager of security technology research at WebSense, noted.

Rob McMillan, research director at Gartner, added to Leonard's point, saying it is better companies provide an incentive for security researchers to spot these vulnerabilities rather than find out as a consequence of a site breach.

Data integrity, regulations an issue
However, he pointed out that challenges related to confidentiality and individual country's regulatory landscape exist for such programs.

For one, these researchers or white hats may choose to create their own bugs and introduce it to the system before announcing their "discovery" to win the cash prizes on offer from cybersecurity contests or bug bounty programs. This is a potential security vulnerability as the researchers involved would have access to the Web site's source code, and architectural insights and control, McMillan explained.

This is why Charise Yong, the founder of Singapore-based blog shop Muffin Cupcakes, said she will have "second thoughts" in having cybersecurity contests for her Web site.

"You never know how trustworthy these researchers are, and I'm not willing to put customer information on our site's database at risk," Yong said.

McMillan also said there might be different regulations in various markets with regard to running cybersecurity contests. These laws vary, for example, in how research for security vulnerabilities is conducted, he said.

Nushin Hernandez, security analyst at Canalys, added that in order for proactive monitoring of site security to work, responsible disclosure policies need to effectively communicate the pros and cons of adhering to ethical behavior. Facebook, for one, has a rigid policy that makes clear the legal implications for unethical practices, she noted.

The social networking operator stated: "If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

Hernandez also urged site operators to look beyond just organizing cybersecurity contests or bug bounty programs, and invest in establishing robust security systems to protect against network-based attacks and safeguard sensitive data.

Show Comments