SEATTLE–For many years, Microsoft and other large software vendors resisted the idea of providing bug bounties or other financial incentives for researchers to report vulnerabilities. That changed when the landscape began to shift and more researchers began reporting vulnerabilities through brokers or selling them on the open market. While bounties have now become commonplace, simply offering one doesn’t guarantee any level of success for a vendor.
“There is no one-size-fits-all bounty program. They’re all different,” Katie Moussouris, chief policy officer at HackerOne, said in her keynote speech at Virus Bulletin here Wednesday. “No bounty program is doing you any favors if it isn’t feeding back into the [security development lifecycle].”
Moussouris was deeply involved in the development of the Blue Hat prize and the Microsoft bug bounty program announced last year. Unlike other companies that offer rewards for information about vulnerabilities in their products or Web properties, Microsoft took a different tack with its bounties. The company offered $100,000 for new techniques that can bypass the exploit mitigations on the newest version of Windows. Moussouris said at the time the bounty was announced that Microsoft had been monitoring the way that vulnerability information came into the company and detected a shift that made it prudent to offer the bounty in 2013.
That kind of reward structure made sense for a company of Microsoft’s size and scope, but Moussouris said every organization needs to figure out what fits for its specific needs. Just this week, Microsoft expanded its own program to some of its Web properties.
“There’s a number of different motivations and appeals for hackers in this,” she said. “There’s a certain percentage of any population, hackers included, who will just act in a self-serving way. But most people, hackers included, want to do the right thing. The IE 11 bounty was a deliberate attempt to get some of the same researchers who might have come forward anyway to come forward at a more convenient time for us.”
Vendors that offer bug bounties have plenty of competition these days, through both the black market for vulnerabilities and the more legitimate market where governments, contractors and law enforcement agencies are players. The prices for bugs can vary greatly based on a number of factors. Moussouris said that the lower end of the market is typically buyers who are using the information for defensive purposes only.
“There’s a graduation or variation of price based on intended use. You tend to see the highest pricing model for offensive use only,” she said. “There can be a big fee up front and then a recurring fee for as long as that bug stays in play, meaning it’s unknown to security vendors and AV.”
There have been some discussions in the security community about how governments should handle vulnerability sales and purchases, and Dan Geer, CSO of In-Q-Tel, suggested at Black Hat in August that the United States government could put a major dent in the market by essentially cornering it. But Moussouris said she doesn’t think the plan could work in practice.
“Vulnerabilities aren’t sparse for many reasons, and even with systematic improvements you’re going to miss things and need to build extra features,” she said. “When you do that, you’re pouring new bugs in there. Ideally they will get harder to exploit. That’s the true value of an SDL. But could they drain the swamp and have us all out of a job in five or ten years? I don’t think so. What would happen if an outside organization flooded the market with money? This is a very disruptive force but I don’t think it would drain the swamp of bugs.”