In January, the European Union kicked-off over a dozen new bug bounty programs targeting a bevy of popular open-source programs used by its members. The effort was supposed to be met with cheers. But instead, the launch sparked an unexpected backlash from the security community.
The EU’s program certainly was well intended – also flashy. It tempted bug hunters with a variety of bounties, totaling $1 million, in payouts for finding vulnerabilities in the free open-source projects such as Filezilla, Apache Kafka and VLC Media Player.
So why the backlash? Security experts argued the bounty program focused too much on bug bounty payouts. Instead, they argued via social media, organizations like the EU should be focusing their $1 million security investment internally to better secure their own products – from the development stages to post deployment.
“While it’s been good that people are embracing outside help from security researchers and hackers, what has been detrimental is the overuse of bug bounties as a cure-all for all of your security problems,” Katie Moussouris, founder of Luta Security, told Threatpost.
The EU push back from the security community reflects a subtle change in attitude toward bug bounty programs. As they become wildly popular, many programs have lost sight of the reason they were launched: to increase security overall.
Bug Bounty Bonanza
Bug bounty programs continue to gain traction. A recent study from vpnMentor shows that there are more than 700 programs just this year. In fact, a 2018 HackerOne report shows that adoption of bug bounty programs in North America has surged 37 percent since last year. Latin America is the region with the largest adoption of bug bounty programs, with an increase of 143 percent year over year.
But, as the bug bounty program landscape flourishes, security experts worry that some – like the EU did – are focusing too much on glitzy PR concepts and not on their own security. Moussouris and others argue companies are placing too much emphasis on payouts for specific bugs and not enough on the underlying issues that facilitate the bugs in the first place.
Too Little Focus on Root Cause
For the EU, its recently-launched bug bounty program was a reaction to the Heartbleed vulnerability. The fear was the 2014 OpenSSL Heartbleed bug was symptomatic of larger problems. They worried other insecure open-source libraries were being used on who knows how many EU websites and workstations. A bug bounty program would help them get a handle on the problem.
But Josh Bressers, head of product security at Elastic, pointed out in his blog that the EU’s 2019 bug bounty program will have the unintended consequence of completely overwhelming project maintainers who are scrambling to keep up with bugs – and all the while ignoring ways to prevent the security issues from happening.
“If nothing changes and bug bounties are the only way to spend money on open source, this will fizzle out as there isn’t going to be a massive return on investment,” he said. “The project maintainers are already overworked, they don’t need a bunch of new bugs to fix…Resources shouldn’t always be money [spent on bug bounty programs]. sometimes money helps, sometimes what’s needed is gear and sometimes maybe it’s pizza. An organization like the EU has money, they need help turning that into something useful to an open-source project.”
Bressers and others argue the millions of dollars being funneled into bug bounty programs could be used for other, more effective ways to secure products and solutions.
That includes paying for more open-source maintainers – which Moussouris flagged the EU for ignoring in a December tweet– or securing the products before they go to market. Maintainers are responsible for the direction and functional aspects of open source projects, including security.
I disagree that it's a good thing on its own.
Where is the money for more paid maintainers?
It's not there.
A #bugbounty on open source projects that don't get any funding for additional maintainers is likely to decimate the volunteer maintainer labor pipeline of the future https://t.co/1YgwDNeFXM
— Katie Moussouris (@k8em0) December 28, 2018
The EU isn’t the only bug bounty program that has raised concerns.
At Black Hat 2018, Google bug hunter Ian Beer stressed that in finding over 30 iOS bugs, he has found that Apple suffers from the common issue of patching iOS bugs – but not fixing the underlying issues that exist that make the flaws possible.
Beer said that each vulnerability found should be a lesson where a security lead needs to ask: “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could of found [the bug] earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”
What About the Bug Hunters?
Naturally, high-paying bug bounty programs have also attracted researchers. With companies such as Google saying it paid $3.4 million to bug bounty hunters in 2018, it’s no surprise that bounty hunters are flocking at the chance of finding more.
But even researchers say those higher payouts don’t necessarily equate to a better programs.
“Sometimes, the marketing department of a company will come up with an initiative to pay an outrageous sum as proof of their security,” a full-time information security professional and part-time researcher who goes by the moniker “chudel” told Threatpost. He said companies foolishly challenge the white hat community with offerings like a $100,000 dare to anyone that can hack a company asset.
“These can play out disastrously for the company and the community… and often come with so many constraints that they are simply not rewarding,” he said. “I think researchers have a healthy amount of ego and won’t participate if they feel they are being used to another purpose.”
For Craig Young, with Tripwire, bug bounty programs are becoming the sole communication method for sharing vulnerability reports – meaning that some bounty programs also open up a can of worms for hunters themselves.
“This can be problematic because bounty programs may also include detailed terms and conditions stipulating that researchers can be punished for sharing reports with third-parties without express permission from the vendor,” he said. “This effectively allows vendors to use bug bounty programs to silence researchers while they drag their feet deciding how to proceed. The result is that researchers may need to decide between getting paid and actually helping people be protected from attack.”
Future of Bug Bounty
Bounty program leaders remain optimistic about the future of bug bounty programs, especially as the hype around programs begins to cool down.
“The only challenge is the hunt for the bug and the difficulty in finding them, and we always find them,” Marten Mickos, CEO of HackerOne, told Threatpost in a recent interview when asked about concerns that companies are relying solely on bug bounty. “Everything else is manageable and can be handled, there are always detractors who will say that this or that is not working. It’s not true.”
Casey Ellis, founder and CTO of Bugcrowd, said that it’s important for firms to recognize the logistics of public bug bounty programs “beyond the press release” – such as company’s ability to ingest reports coming in from the program, or their ability to actually remediate issues. One way they can do so, he said, is by first engaging a trusted, curated subset of the community in a private, more controlled bug bounty program.
“When people talk about bug bounty programs, they’re not all [talking about the same thing],” he said.
Ellis concedes the industry suffers from multiple interpretations of what constitutes a bug bounty program – for instance, some firms view bug bounty programs as a way to merely find bugs in their products, while others might be smarter with how they handle their programs and view them as an opportunity to hire talent or improve vulnerability disclosure processes.
“When it comes to public bug bounty programs, it’s suitable for a lot of companies, but I don’t believe personally that it’s suitable for everyone,” he said.
While Moussouris said that bug bounties “can definitely be helpful,” she stressed that companies need to re-think how they utilize the programs – and treat them as a way to help their existing in-house security teams, instead of hurting them.
“That in house expertise, that’s really what people need to build in terms of long term sustainable security,” she said. “You’re never going to be able to outsource your bug hunting completely. That’s the most inefficient way to find bugs, is after it’s already out there, after the website is up, or the software is released, or the product is released, and asking a bunch of internet people to help you secure it.”
Ultimately, it comes down to companies recognizing that bug bounty programs can be a helpful supplement to security – as opposed to a “cure-all,” she said.
“We’re trying to basically make it so that a bug bounty program is one key part of the overall secure development life cycle,” said Moussouris. “They are tied together.”