September 20, 2011, 8:50AM
How Bug Bounties Are Like Rat Farming
62 Comments
UPDATED SAN FRANCISCO--It's become fashionable of late to have people from outside the industry give keynotes at security conferences as a way of providing a fresh perspective or unique insight into what security means. Often, that fresh perspective turns out to be some variation of the "I don't know security, so let me tell you how it doesn't relate to my field" speech. Stephen Dubner fixed that.
The co-author of the ridiculously popular Freakonomics books, Dubner is a former New York Times writer and would seem an incongruous choice to kick off the talks at a security conference. But it turns out that he knows more about security than one would think. Maybe even more than he might think. His books are filled with stories meant to show the uninitiated how deeply economics and its offshoots affect our daily lives.
Much the same could be said of security and its numerous sub-disciplines. As recently as three or four years ago, many normal Internet users probably didn't give much thought, if any, to the security of their PCs. If they did think about it, they likely thought in terms of annoying viruses and worms, or maybe identity theft. But the events of the last few years have shown that no one can afford to ignore the reality of the security situation.
Editor's Pick
In his keynote speech at the United Security Summit here, Dubner said that he had great respect for the job that security professionals do, fighting the good fight against attackers and the occasional nation-state. But his most insightful comments had to do with rat farming.
What is rat farming, you ask. It turns out it's essentially a slightly more disgusting version of bug hunting. Dubner said that he was in Johannesburg, South Africa, recently, and the city was having a serious problem with rats. Officials had tried a number of remedies with no real success, and so they eventually hit upon the idea of offering a small monetary reward for every dead rat turned in. The program was a huge hit, and dead rats started flowing in.
But the idea actually created an entirely new industry: rat farming. Once people discovered that there was money to be made by turning in dead rats, they started breeding the vermin strictly for the purpose of killing them and collecting the cash. Effective, but gross.
But it has a clear analog in the bug-bounty programs that software companies such as Mozilla, Google, Barracuda and others have established in recent years. The results have been quite different, however.
The vendor reward programs offer researchers various cash rewards for reporting vulnerabilities to the companies, and they've been quite successful in drawing submissions from a wide range of people. But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing.
The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances. Those who run the bug bounty programs at the software companies say that they are seeing more and more submissions than they did before their programs began, and the combined resources of the external researchers and the vendors' internal teams finds far more flaws than just the internal teams could.
The idea of people raising rats for the express purpose of killing them likely isn't what the officials had in mind when they began their reward program, and they may well end up with a larger rat infestation than they had when they began if they put a stop to the rewards and the rats end up wandering the streets. But the opposite has occurred with the vendors' bug bounty programs. As they've continued to reward researchers and even raise the amount they pay for new bugs, researchers have responded with more submissions, and all of the users of those applications have benefited.
Updated to include more context about bug bounty programs.
Commenting on this Article is closed.
Today's Most Popular
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
- Iranian Students Claim to have Stolen Thousands of Researcher's Records
- Report: Diablo III Users Find Accounts Hacked, Gold Stolen And New 'Mystery' Friends
- Why Google Won't Protect You From Big Brother
- Forget 'Brogrammers,' Women Have The Edge In DEFCON Social Engineering Contest
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
20%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
28%
I don’t pay attention to how I access the internet while traveling
14%
Total votes: 65
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
WTF? This make sabsolutely no sense. Bugs cannot be manufactured into existing software, they are created by the vendor not by the vulnerability finder. The analogy to rat frming is completely bogus
I agree, a rather confusing analogy'; i had to read it 3 times before i realised it still made no sense.
@Anonymous: One might say that software is created by the vendor, but it is ultimately a human who writes code. Said human might find a bug in their own code and have a choice of fixing it or leaving it there until the product ships while conspiring to share the bug with a third party and then split the bug bounty. Thus the analogy to rat farming is not "completely bogus"
Your article claims rat farming is going on. But this would only be a good analogy if it were the original developers deliberately writing bugs to collect a bounty. If you don't have pretty darn hard evidence that this is happening, your article is defamatory.
Congratulations on proving you don't have a clue-by-four. The comparison between rat farming and bug hunts is a total fail, with the exception that everyone can now add you to the list of buggy "security prognosticators."
@Muntz The anlogy is bogus because it does not state the comparison clearly
This article reflects the lack of practical or hands on experience in the software industry..... an "individual" does not find a bug in his code....there are hordes of qa and test engineers who run all kind of tests to identifies bugs in a particular enterprise software and send it back to development to fix in this or next release. There are actually whole teams dedicated in any self respecting software development group dedicated only to finding and fixing bugs.
Wow, that really is the worst analogy I've ever had the displeasure of reading.
Or are you seriously claiming security researchers are intentionally introducing security bugs in said software projects (under some other identity) and then reporting and claiming a bug bounty on them? And you seriously think that is a good thing?
Or is your analogy complete and utter garbage?
And no, there really isn't a third option.
While that may be possible, there is still metrics pointing to the fact that a certain developer's code is getting a fair amount of bug reports.
Every company I have ever worked in loved collecting these metrics come performance review time. And if your bug numbers are high (compared to everyone else) your gonna get called on it.
Only time it would be viable is if a really good coder took the bug hits to suppliment his salary. Ultimately though it would reflect poorly on him.
This is would result in a covered problem (bugs are still being found) however it would not turn into a runaway problem (like the ratfarmers) because unlike the rat farmers the individual introducing the bugs/rats has an incentive to not introduce them (via the disincentive of being branded a buggy coder or losing said job).
Agree with the comment above. They are essentially saying that companies are making inferior software in order to pay people to discover their exploits on purpose? i do agree with the first part of the article, in paying people to discover their mistakes. But to argue that companies are making bugs on puporse and to pay people to discover them just doesnt make any sense.
The analogy isn't completely bogus. Think of it a slightly different way, a rat != a bug, a wild rat == a bug that would affect a user.
The farmed rats are then equivalent to the "could only really happen in a controlled lab environment" bug. They are still bugs, its good to get rid of them, but they aren't really (or at least shouldn't be) the primary concern.
http://search.dilbert.com/comic/Write%20Minivan
The author does leave out how this is good. But, the analogy holds. Software creation is both science and art. There are multiple ways of accomplishing any one task. It's sort of similar to the saying, "It's not a bug. It's a feature." What one designer sees as a feature, another sees as an unexploited bug... add a bounty and the line between identifying bugs and exploiting features begins to blur.
The analogy, like all analogies is certainly not perfect; but it illustrates the economic incentives very well.
I agree. This article makes no sense. It would be the same thing if the researchers were contributing software with security problems to these projects and then "discovering" the problems later. If that's happened, the article should provide references. Otherwise, we must assume these researchers are discovering legitimate bugs and are more like the legitimate rat hunters.
I think what it means is people are trying to create attacks which can be used to exploit the software and then reporting them to mozilla etc....they are informal hackers ( as opposed to crackers) ....
normally a bug is in the usage of the software... this bug hunting does not bother much with the usage but with the bugs in the code... even if the bug does no harm to almost every case possible.. these guys find out the cases where it harms the system and then report it? probably he meant it that way....??
>"What one designer sees as a feature, another sees as an unexploited bug... add a bounty and the line between identifying bugs and exploiting features begins to blur."
No, this is nonsense. The bug bounty programs mentioned only pay for real exploitable security bugs, as you would know if you read their FAQs. Whether it's a bug in the code or a feature that is capable of being misused is utterly irrelevant; all the bounty programs want to do is uncover vulnerabilities, regardless of their underlying cause. Perhaps it's slightly misleading to refer to them as "bug bounty" programs rather than "security holes opened by bugs or misdesigned or misimplemented features bounty" programs, but the latter is rather a mouthful.
And therefore the comparison to rat-farming is still bogus, because the people claiming the bounties are not creating new bugs that previously did not exist. That's the whole thing about rat-farming: the unintended consequence of paying a reward for rats is that new rats that did not previously exist are created by the farmers. But unless the researchers accused in the article are actually deliberately writing buggy code and submitting it as contributions to the open source side of the projects so that they can subsequently pretend to have discovered the bug to claim a reward, they aren't comparable to rat-farmers, because paying them does not cause new bugs to be deliberately inserted into the code in question.
Dubner's speech was not "insightful". It was just plain wrong.
This analogy is based on actual facts or just a weird and very bad idea by someone who has absolutely no clue? Theres no way to know if your rat came from a farm or from the wild, but theres plenty of ways to trace a bug back to the person who is responsible for it.
Honestly, given the number of checks, peer reviews, unit-tests usually in place for such big companies theres is absolutely 0% guarantee that an intentionally inserted bug by a programmer would make it into the final release of the product.
Anyone with the slightest amount of talent would be much better off putting his efforts towards writing good code and work on getting a promotion instead of trying to make bank from such an unpredictable scheme at the risk of getting fired.
The author clearly has no clue about how software is made and how security works in the slightest. I'm not sure who concerns me more though. The author or the people trying to defend the nonsence analogy.
For the fools who thinks "a rat != a bug, a wild rat == a bug that would affect a user". All bugs affect users eventually. The point of the bug hunt in the lab is for the White Hats to find the bug before a Black Hat finds the bug. A bug in Chrome is probably completely meaningless to any user except once it is found by a Black Hat they start using it to Hack your system.
Bug Bounties are really more of a race to find a bomb that unless a Black Hat finds it will never go off.
Unless you have proof that a rouge programmer in a company is deliberatly putting bugs into the software to give them to someone else so they can make some easy cash the anology is completely false and should be recended by the author.
Yes it's possible for someone working for a vendor to slip a bug into the software, then conspire to collect the reward for its discovery. But if they did it more than once, the chances of them being caught would be astronomically high. This article seems to be seven paragraphs of introduction, and one unsupported thesis with a conclusion that makes no sense at all. Add another few paragraphs of explanation of how bugs can be "bred" and maybe some support for the thesis and it will make a lot more sense.
No judgement intended - this article just seems to end right about the time it starts to get up to speed.
This is bullshit you can't insert a bug into a software from outside. And if an insider would try to do it he would be caught in no time.
Oh and we all know how perfectly QA'd out sourced code to foreign countries (let alone domestic) is... The emergency patches companies send out MUST be a ruse for support $$.
How they protect the code bases with perfect segregations of duties...
How they could NEVER accidentally or intentionally install or distribute malicious code ..
History has NEVER given us examples those things happening..
This could NEVER be exploited by a disgruntled bunch of programmers
Get off the high horses people… its plausible
This has got to be the most confusing analogy I've ever read. The biggest difference between rat farming and bug hunting is that with rat farming, the supply can be manipulated. For bug hunters, the supply is delivered by the product/company, which cannot be manipulated by the hunters themselves. Your post is very confusing.
No, it's not even a little bit plausible.
Any software that offers bug bounties will track its source code using a modern source control revision system.
If the bug bounty system is maliciously exploited by introducing malicious bugs, there will exist in the revision system a traceable log of who introduced the malicious bugs and how.
I think it's dishonest to add paragraphs to the article, without noting that you have done so.
So this means everyone and their mother should be calling Dennis Fisher out for being a piss poor journalist. Not only can he not properly report on an analogy that was (I assume) used in the presentation, but he edits the article without indicating that he's done so to make the comments on the article look like people didn't read the article.
As a regular reader of ThreatPost I think I'm going to take my loyalty elsewhere. Clearly we, the readers are the product, and mis-informing us (or reporting the news poorly) isn't a concern. The concern is selling us to the advertisers.
Goodbye ThreatPost, I shall not miss you.
This appears to be just another example of a tech "journalist" trading their credibility for the many, many clicks that result from this type of moronic and controversial trollbait.
Oy. So the analogy to rat farming is to say it's not like rat farming at all. Brilliant. (as in not brilliant).
Input Fuzzing: Creating thousands of erroneous inputs into a system in an attempt to find a bug.
Rat Farming: Creating thousands of random inputs into a system in an attempt to find a bug.
Q.E.D.
Just posting in agreement, Mr. Fisher's article sucks this has no point...it's as bad as McGraw's post the other day....absoulty useless was of time and effort which conveys no information .
"I juggle verbs, adverbs and nouns. And run."
You do so badly sir....
Oh for goodness' sake, when you're in a hole, stop digging. Your ludicrous self-justifying post-edit has merely made your article internally inconsistent:
> "But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. [ . . . ] The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances."
So the researchers aren't introducing them, but they are "being bred in the lab"? What does that gibberish even mean if it's not supposed to suggest they are being artificially created? Give it up now before you make an even bigger fool of yourself.