A SCADA software vendor announced a vulnerability bounty program with a twist: instead of paying researchers for bugs, it will offer points that can be redeemed towards buying licensed copies of the company’s software.
“This non-monetary bug bounty program is part of our effort to make IntegraXor SCADA more secure, safe and stable,” IntegraXor said in a blog post on its Website.
The value of the rewards range between $149 and $3,999, depending on how the licenses are sold, the company said. Researchers will earn different amounts of points depending on the severity of the bug they reported. “If you are not an IntegraXor SCADA user, then you are allowed to resell the reward point in our forum or anywhere else,” the company said.
There have been numerous reports of serious vulnerabilities in supervisory control and data acquisition systems over the past few years. These industrial control systems are found in a number of environments, such as manufacturing plants, utilities, and transportation systems. Most of the vulnerabilities have to do with poor authentication schemes and the fact they weren’t originally designed to be on the network in the first place.
Fixing the issues have been notoriously a slow process, as vendors have not typically released patches in a timely manner. It’s also challenging to take systems offline for maintenance since they are generally used in critical environments where systems can’t be turned off. Even so, some vendors have started taking vulnerability disclosures seriously and started working with the research community to identify and repair some of the issues.
In the case of IntregraXor’s bug bounty program, however, critics blasted the company for implementing a rewards program that provided no incentives for researchers to participate. The fact that points can be redeemed only to buy software from the same vendor will encourage researchers to not bother looking at the software, or sell interesting bugs on the open market.
“The kind of people who have the skills to find the really important bugs are not going to be interested in a free license or two,” Chris Soghoian, a well-known privacy researcher currently working with the American Civil Liberties Union, told SecurityWeek. “If this company wants to encourage researchers to come to them with exploitable vulnerabilities, they should follow the lead of companies like Facebook, Google and now Microsoft too: offer cash,” he said.
On Twitter, Soghoian called the program, “pathetic.”
Under the terms of the program, researchers who find vulnerabilities must disclose the issue directly to the company and not through a third-party. The disclosure must include a complete list of steps taken to reproduce the bug, or a proof-of-concept, according to the post. Researchers are also warned to download and setup their own testing environment, and not to attempt to access production or other systems.
The company is only interested in vulnerabilities affecting the IGX SCADA system, especially those that affect the integrity of data linked to external devices, particularly tag data, according to the post. Issues found in the beta, release candidate, or out-of-date IntegraXor server/editor, browsers, and plugins will not be accepted by the program.
The company will also not consider physical attacks or issues that arise from unexpected usage. Vulnerabilities found in how third-party libraries, external devices, and other products communicate with Integraxor’s devices will not be considered. The issues are not within the company’s control. However, researchers would still get some credit for some of these disclosures since the company would know which third-party products are risky to use. The program will accept only “practical issues,” according to the post.