Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Disclosure: A Case for Bug Bounties

Like it or not, vulnerabilities are a fact of life in information security–and so are the people seeking them out. Yes, independent testing may be illegal without express permission but that doesn’t stop these code pillagers from sniffing out vulnerabilities and weaknesses in your web applications.

Like it or not, vulnerabilities are a fact of life in information security–and so are the people seeking them out. Yes, independent testing may be illegal without express permission but that doesn’t stop these code pillagers from sniffing out vulnerabilities and weaknesses in your web applications. And while many of them are attackers with malicious intentions, others are whitehat good guys concerned about the security of their data, as well as others, that may be using your application – which is just one reason disclosure has become such a hot topic.

With that said, it is undeniable that illicit security testing on web applications is becoming more widely accepted. Despite the obvious legal and safety pitfalls, bug-chasers have become a regular part of the security landscape – and that means we can all benefit from finding a productive middle ground that respects organizations and protects well-intentioned researchers, while thwarting attackers.

About Bug Bounty Programs

A Reason to be Spooked

So, if there’s a place for benevolent testers why are they hesitant to let the organization know when they find a vulnerability? The potential legal consequences are too intimidating. One example: 16-year-old Australian, Joshua Rogers, who found a SQL injection vulnerability in his local area’s Transport Department website that gave him access to the personal information (credit card numbers, names, birth dates, etc.) of more than 600,000 citizens. Rogers shared the information with a media outlet – only after receiving no response from the website staff – and consequently was reported to the local authorities.

Then there’s Andrew Auernheimer, who stumbled upon an AT&T security flaw that allowed him to obtain data on iPad users. Auernheimer did not sell or use the information maliciously, saying he believed AT&T needed to “be held accountable for their insecure infrastructure as a public utility.” Nevertheless, federal prosecutors charged him with identity theft and conspiracy charges and Auernheimer was sentenced to 41 months in federal prison. Some media entities anticipate that his prosecution will deter whistleblowers from reporting vulnerabilities, ultimately limiting the protection of citizens the justice system serves.

Disclosure Models

These examples make it clear why so many independent testers are hesitant to contact organizations directly with their findings. Without a protected way to report bugs, many feel safer making a public and anonymous disclosure. Yet that merely shifts the risk to the organization by publicizing its vulnerability before they have time to fix it; it also hangs out a neon sign for malicious parties to exploit it.

This conundrum has created a variety of implicit disclosure models. Proponents of Non-Disclosure believe vulnerability information should always be kept private or shared only under non-disclosure agreement. People who advocate Full Disclosure believe in publishing vulnerabilities without restriction, often through mailing lists, academic papers or industry conferences. Benefits of this model include helping users understand their own systems better as well as empowering customers to pressure vendors to for vulnerability solutions.

Advertisement. Scroll to continue reading.

Coordinated Disclosure, on the other hand, holds that any vulnerability should be concealed until the software vendor grants permission for disclosure. Even then, the information is shared with a limited audience. Customers benefit from high-quality updates without risking attacks during the update development period.

Then we have the Responsible Disclosure model, where all stakeholders agree to terms that allow the organization to create a solution before the vulnerability details go public. Often these take the form of Bug Bounty programs – an option that’s gaining traction among both researchers and organizations.

Bug Bounty Programs

If you’re not familiar with these programs, they foster responsible disclosure by granting permission to find vulnerabilities and usually provide some type of a reward for disclosing them in a discreet and ethical manner. By compensating – rather than prosecuting – the tester, businesses provide an incentive to find unknown vulnerabilities and report them privately for resolution before an attacker learns of them. It’s a win-win for both parties; the bug-finder receives money, swag and/or recognition and the organization strengthens its security.

Not everyone approves of “vulnerability commercialization.” Yet this kind of crowd-sourced security is being practiced by some of the biggest names in the industry, according to Bugcrowd.com. Microsoft, IBM, Amazon Web Services, Google, Facebook, Salesforce and Yahoo all have operated some type of bounty program. The practice has proven so effective that a bug bounty industry has sprung up, with companies like iDefense and TippingPoint managing programs for organizations.

In the end, part of building a web application is knowing that your app will be tested no matter what. Hackers – good or bad – are inevitable; providing the white-hat testers with a safe and responsible path to disclosure can be the most effective route to patching a vulnerability before it can be maliciously exploited. Is there a place for prosecution? Absolutely, when you’re dealing with a malicious party. But given the number of well-intentioned independent testers out there, meeting them halfway in a spirit of collaboration can reward the right players in the game and keep the wrong players off the field.

Related: Pwn2Own Hacking Contest Targets Microsoft EMET Protections

Related: Researcher Discloses Critical Vulnerabilities in Oracle Forms and Reports

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.