CANCUN – Bounty programs are mislabeled creatures, too often pigeonholed as a payoff for finding individual vulnerabilities in software.
Wrong.
“The name bug bounty is actually a false categorization of what is truly just an incentive program,” said Katie Moussouris, chief policy officer at HackerOne and architect of Microsoft’s vulnerability coordination program, during her talk today at the Security Analyst Summit. “You are creating an incentive for whatever you want. It’s not just individual bugs all the time.”
That means organizations interested in nurturing their own programs should think about not only finding and fixing one-off bugs, but also focus on strategic goals such as eliminating entire classes of vulnerabilities and encouraging contributors to build mitigations. Architected correctly, vulnerability incentive programs can also feed an enterprise software development lifecycle and reduce the number of bugs that leak into production.
And don’t live under the illusion that you’ll never have to contract a pen-tester again.
“There’s a time and place to get specialists under contact to look at things you don’t want to open to the world; that’s where a pen test comes in,” Moussouris said. “You cannot replace pen-tests whole-heartedly. It’s playing whack-a-bug if you’re not feeding your bug bounty program results into your SDL.”
For its part, Microsoft was standoffish about dipping into the bug bounty waters. And for good reason. As Moussouris explains it, for so long, researchers who wanted to find Windows or Internet Explorer bugs were only after credit in a Patch Tuesday security bulletin. Often, those were career boosters, she said. Even third-party established programs such as the Zero Day Initiative were contributing bugs to Microsoft gratis.
But as vulnerability brokers and companies such as VUPEN and ReVuln emerged, the market began to exert its pressures on Microsoft. Moussouris had to turn part politician inside the walls of Redmond and convince the powers that be to provide incentives to researchers to not give into the six-figure seduction of the vulnerability market and renew relationships with white-hats.
The end result were a number of specialized bounties sponsored by Microsoft, including a $100,000 mitigation bypass bounty, the Blue Hat bonus for defense and a temporary Internet Explorer bounty.
In each case, there were carrots Microsoft was dangling in front of researchers that others in the market were not.
“Again, this isn’t a bounty, it’s an incentive,” Moussouris said.
Yet it still wasn’t good enough, Moussouris said, remembering how she had to convince Microsoft to begin paying for bug submissions in IE 10 while that version of the browser was in beta. She treasures a chart that shows a huge spike in bug submissions once IE 10 was released to manufacturing, many of those critical vulnerabilities that would be fixed in security bulletins.
“There were no incentives if Microsoft fixed a bug during beta; no bulletin, no credit, no incentives during that period,” Moussouris said. “What if we create an incentive beta program if there were no buyers in town?”
The bounty program was extended into beta, giving only Microsoft first crack at bugs before they were out in the open market. And they were fixed on the cheap too. For the IE 10 in beta, there were 23 submissions, 18 of those would have been rated critical, including four sandbox escapes, Moussouris said. The payout: $28,000, an average payout of $1,100.
“If you create an incentive at the right time, you will absolutely get the results you want,” Moussouris said.