Bug bounties have gone from novelty to necessity, not only for enterprises looking to take advantage of the skills of an organized pool of vulnerability hunters, but also for a slew of independent researchers who make a living contributing to various vendor and independent bounty and reward programs.
The proposed U.S. rules for the Wassenaar Arrangement pose a real challenge for all sides of that equation.
The rules are meant to curb the sale and trade of dual-use weapons, and in a computer security context, that means so-called intrusion software such as FinFisher and HackingTeam tools that are allegedly sold to and used by oppressive regimes to spy on citizens. Security researchers have voiced their concerns in the two weeks since the proposed rules were made public that the U.S. rules definition of intrusion software is too broad, and legitimate vulnerability research and proof-of-concept development will come under regulation.
That means researchers who find a zero-day vulnerability and develop a PoC exploit triggering the issue, would have to apply for an export license in order to privately disclose their findings with the vendor in question. As a result, there will be occasions when a foreign researcher, for example, would have to share details on a zero-day with their government before the affected vendor.
“There are lots of concerns from researchers if this gets implemented,” said Kymberlee Price, senior director of operations at Bugcrowd, a private company that provides a platform for organizations wishing to start bug bounty programs. “Is it worth the effort to continue to report vulnerabilities if you have to go through a government and are likely to have to disclose details on that vulnerability? Do we want foreign governments knowing about it before it’s reported directly to the vendor so it can be patched?”
Said governments could always provide grounds to deny an export license, not only putting a researcher’s livelihood in jeopardy, but also in the process gaining access to details on a serious vulnerability that could be added to the government’s arsenal.
“This may impede both bug bounty programs as well as vulnerability coordination with vendors across borders. The amount of additional overhead in applying for export licenses will discourage individual hackers, resulting in a chilling effect with more researchers choosing simply not to report vulnerabilities, or not to do the research at all,” said Katie Moussouris, chief policy officer at HackerOne and former senior security strategist at Microsoft, where she got various reward programs off the ground.
Moussouris has been critical of what she believes is an overly broad definition of intrusion software and said researchers are already expressing concerns not only about bounty programs, but defensive exploit contests, training classes that teach exploitation, not to mention researchers’ ability to collaborate and share proof-of-concept code.
“The wording in the proposed regulations will make vendors less secure because fewer vulnerability reports from researchers living in nations who are subject to Wassenaar will make their way to defenders,” Moussouris said. “Researchers who want to turn the vulnerability over to the vendor generally don’t want to have to clear their disclosure by way of their government. Delays caused by applying for export licenses to claim bounties will affect researcher willingness to participate.
“Also, given that many governments, especially the U.S., participate in the 0day market buying from researchers, this presents an avenue by which the government could get free 0day,” Moussouris said. “Even if the government offered payment, this interception prevents the vendor from accessing and fixing the vulnerability.”
Bug bounties are a relatively new phenomena in computer security circles. Bugcrowd and HackerOne are the major independent platform providers, but most major vendors, including Microsoft, Google, HP (Zero Day Initiative), Facebook, Yahoo and seemingly countless others, offer a bounty or reward program of some kind. Independent researchers, including many outside the U.S., are full-time bug hunters and submit vulnerabilities on all available programs that pay a reward.
“Income for researchers is often fragmented. In Western countries, most researchers have a day job and this is a hobby supplementing their income,” Bugcrowd’s Price said. “But in the Middle East, the Philippines, Latin America, and Eastern Europe, this is fulltime income. They submit to multiple programs.”
One vulnerability is sometimes reproduced in multiple products with the same underlying business logic flaw, Price said, adding that each bounty program would then pay off not only for the research, but in the subsequent patch or code change for customers.
“It could be significant money in some cases,” Price said. “The research community is global and large. You’re talking tens of thousands of vulnerabilities responsibly disclosed to vendors around the world. One of the ways to work with researchers is that proof of concept exploit where they say ‘Here’s a piece of code that triggers the vulnerability to prove it’s there.’ It’s such an important part of the process and what’s so concerning about the Wassenaar rules. The proof of concept is what developers need to patch the bug.”
For now, Price and Moussouris said submissions to their respective programs have not dropped off, but questions are starting to come in. There is a two-month comment period ending on July 20 that’s open to researchers and decision makers, giving them a platform to voice concerns.
“The challenge is that the security community tends to be an echo chamber and historically has not done a good job reaching out to the legislative arm and educating policy makers and governments,” Price said. “There’s no information security lobby effort to educate legislators. In recent years, you’ve seen more that with a number of companies assigning resources to do that.
“I think we’re starting to see a shift,” Price said. “There is an impact to researchers, yes, but what gets legislators’ attention is an impact to customers and users and security.”