Unlike their criminal counterparts, it turns out that white hats aren’t necessarily as financially motivated when it comes to bug hunting.
Bug bounties are everywhere, and many researchers are making a decent amount of money privately disclosing vulnerabilities through coordinated bounty programs. But results of two surveys published today by the National Telecommunications and Information Administration’s Awareness and Adoption working group show that researchers prefer open communication with affected vendors over financial compensation.
The NTIA sent out separate surveys to researchers and vendors in an attempt to measure and analyze software vulnerability disclosure and handling processes. Researchers were asked a number of questions about their current behaviors for reporting vulnerabilities and the processes they engaged with. Of the 414 who responded, 15 percent expected some sort of compensation, while an overwhelming 70 percent prioritized open lines of communication throughout the disclosure and remediation process.
“While the survey did not delve into whether monetary incentives drove bug hunters to examine particular products, it is clear from the results that bounties have not become an expected norm in the surveyed researcher community,” the NTIA report published today said.
Most white hats would settle for being involved in testing mitigations for their bugs; more than half (53 percent) do expect a vendor acknowledgement.
Communication, meanwhile, seems to be the real prize for respondents of this survey.
“Which indicates that communication is viewed not just as a way to more efficiently eliminate bugs, but also as recompense for the time that researchers put into vulnerability discovery,” the NTIA report said.
Overall, the results were encouraging from a bug-reporting standpoint; 92 percent of respondents said they either reported vulnerabilities directly to vendors, or through third-party coordinating organizations or bug bounties. Four percent said they prefer public disclosures, and another four percent do not disclose bugs.
That said, other results don’t pretend that it’s a smooth road for researchers. Bug-hunters will publicly disclose vulnerabilities (32 percent of respondents) if self-imposed deadlines are not met, while a majority at least consider it because of a frustrating experience with a vendor failing to acknowledge a bug or notify a researcher when the issue is patched.
“From an adoption standpoint, one barrier seems to be a lack of resiliency in best practices should communication between researcher and vendor break down. Many researchers felt strongly that disclosing vulnerabilities publicly was the remedy to frustrated expectations,” NTIA said. “Having strong fallback mechanisms as part of a framework may help ensure that the principles of coordinated vulnerability disclosure are more broadly adopted.”
Communication breakdowns may be a leading concern once disclosure is made, but white hats are still struggling in a big way with legal concerns. The Wassenaar Arrangement debacle of last year demonstrated the potential legal and regulatory pressures that can be foisted upon bug-hunters. The survey results reflect similar concerns where six out of 10 said they were worried their private disclosures would lead to legal trouble.
“While it is undoubtedly important that researchers have a firm understanding of the law governing their activities, coordinated disclosure is harmed if researchers believe that revealing the flaws they’ve discovered could expose them to legal risk,” NTIA said in the report. “Though, according to the broader data, fear of legal action is not a barrier per se, it may cause researchers to deviate from their default choices on disclosure. Increasing legal certainty, therefore, is a method that may improve adoption of best practices.”
From the vendor side, most organizations develop their own vulnerability handling processes that include a means of receiving and triage of bug reports through mitigation. The majority rely on internal expertise or peers when building out these processes, rather than existing standards such as ISO/IEC 29147 and ISO/IEC 30111.
Of those mature companies that have developed vulnerability handling processes, 80 percent who responded said they did so because customers care about security, while two-thirds viewed it as their corporate responsibility to do so.
“It is unclear whether companies feel that a vulnerability handling policy is viewed by their customers as a proxy for solid security practices, or whether the existence of such policies materially improves security in a way that is evident to customers; however, it is clear that demand from customers, real or perceived, can alter companies’ behavior,” NTIA said.
And despite the constant barrage of news regarding vendors and technology providers starting bug bounty programs, one in five respondents to this survey said they did not have such a program in place.
“Bug bounty programs have been relatively widely covered in the media; however, as fewer than one in five mature companies surveyed currently make use of them, it may be worthwhile to clarify in messaging that sound vulnerability disclosure practices are not contingent upon offering remuneration for bugs,” NTIA said.