How Bug Bounties Are Like Rat Farming

UPDATED SAN FRANCISCO–It’s become fashionable of late to have people from outside the industry give keynotes at security conferences as a way of providing a fresh perspective or unique insight into what security means. Often, that fresh perspective turns out to be some variation of the “I don’t know security, so let me tell you how it doesn’t relate to my field” speech. Stephen Dubner fixed that.

BugsUPDATED SAN FRANCISCO–It’s become fashionable of late to have people from outside the industry give keynotes at security conferences as a way of providing a fresh perspective or unique insight into what security means. Often, that fresh perspective turns out to be some variation of the “I don’t know security, so let me tell you how it doesn’t relate to my field” speech. Stephen Dubner fixed that.

The co-author of the ridiculously popular Freakonomics books, Dubner is a former New York Times writer and would seem an incongruous choice to kick off the talks at a security conference. But it turns out that he knows more about security than one would think. Maybe even more than he might think. His books are filled with stories meant to show the uninitiated how deeply economics and its offshoots affect our daily lives.

Much the same could be said of security and its numerous sub-disciplines. As recently as three or four years ago, many normal Internet users probably didn’t give much thought, if any, to the security of their PCs. If they did think about it, they likely thought in terms of annoying viruses and worms, or maybe identity theft. But the events of the last few years have shown that no one can afford to ignore the reality of the security situation.

In his keynote speech at the United Security Summit here, Dubner said that he had great respect for the job that security professionals do, fighting the good fight against attackers and the occasional nation-state. But his most insightful comments had to do with rat farming.

What is rat farming, you ask. It turns out it’s essentially a slightly more disgusting version of bug hunting. Dubner said that he was in Johannesburg, South Africa, recently, and the city was having a serious problem with rats. Officials had tried a number of remedies with no real success, and so they eventually hit upon the idea of offering a small monetary reward for every dead rat turned in. The program was a huge hit, and dead rats started flowing in.

But the idea actually created an entirely new industry: rat farming. Once people discovered that there was money to be made by turning in dead rats, they started breeding the vermin strictly for the purpose of killing them and collecting the cash. Effective, but gross.

But it has a clear analog in the bug-bounty programs that software companies such as Mozilla, Google, Barracuda and others have established in recent years. The results have been quite different, however.

The vendor reward programs offer researchers various cash rewards for reporting vulnerabilities to the companies, and they’ve been quite successful in drawing submissions from a wide range of people. But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that’s a good thing.

The researchers aren’t introducing the bugs into the software, of course; they’re simply finding flaws that might not have been found under other circumstances. Those who run the bug bounty programs at the software companies say that they are seeing more and more submissions than they did before their programs began, and the combined resources of the external researchers and the vendors’ internal teams finds far more flaws than just the internal teams could.

The idea of people raising rats for the express purpose of killing them likely isn’t what the officials had in mind when they began their reward program, and they may well end up with a larger rat infestation than they had when they began if they put a stop to the rewards and the rats end up wandering the streets. But the opposite has occurred with the vendors’ bug bounty programs. As they’ve continued to reward researchers and even raise the amount they pay for new bugs, researchers have responded with more submissions, and all of the users of those applications have benefited.

Updated to include more context about bug bounty programs.

Suggested articles

Discussion

  • Anonymous on

    WTF? This make sabsolutely no sense. Bugs cannot be manufactured into existing software, they are created by the vendor not by the vulnerability finder. The analogy to rat frming is completely bogus

  • Muntz on

    @Anonymous:  One might say that software is created by the vendor, but it is ultimately a human who writes code.  Said human might find a bug in their own code and have a choice of fixing it or leaving it there until the product ships while conspiring to share the bug with a third party and then split the bug bounty.  Thus the analogy to rat farming is not "completely bogus"

  • David Gerard on

    Your article claims rat farming is going on. But this would only be a good analogy if it were the original developers deliberately writing bugs to collect a bounty. If you don't have pretty darn hard evidence that this is happening, your article is defamatory.

  • Barbara on

    Congratulations on proving you don't have a clue-by-four.  The comparison between rat farming and bug hunts is a total fail, with the exception that everyone can now add you to the list of buggy "security prognosticators."

     

  • Anonymous on

    @Muntz The anlogy is bogus because it does not state the comparison clearly

  • Anonymous on

    This article reflects the lack of practical or hands on experience in the software industry..... an "individual" does not find a bug in his code....there are hordes of qa and test engineers who run all kind of tests to identifies bugs in a particular enterprise software and send it back to development to fix in this or next release. There are actually whole teams dedicated in any self respecting software development group dedicated only to finding and fixing bugs.

  • sam on

    Wow, that really is the worst analogy I've ever had the displeasure of reading.

     Or are you seriously claiming security researchers are intentionally introducing security bugs in said software projects (under some other identity) and then reporting and claiming a bug bounty on them? And you seriously think that is a good thing?

    Or is your analogy complete and utter garbage?

    And no, there really isn't a third option.

  • Anonymous on

    Agree with the comment above. They are essentially saying that companies are making inferior software in order to pay people to discover their exploits on purpose? i do agree with the first part of the article, in paying people to discover their mistakes. But to argue that companies are making bugs on puporse and to pay people to discover them just doesnt make any sense.

  • Anonymous on

    The analogy isn't completely bogus.  Think of it a slightly different way, a rat != a bug, a wild rat == a bug that would affect a user.

    The farmed rats are then equivalent to the "could only really happen in a controlled lab environment" bug.  They are still bugs, its good to get rid of them, but they aren't really (or at least shouldn't be) the primary concern.

     

  • Anonymous, also on

    The author does leave out how this is good. But, the analogy holds.  Software creation is both science and art.  There are multiple ways of accomplishing any one task.  It's sort of similar to the saying, "It's not a bug. It's a feature."  What one designer sees as a feature, another sees as an unexploited bug... add a bounty and the line between identifying bugs and exploiting features begins to blur.

    The analogy, like all analogies is certainly not perfect; but it illustrates the economic incentives very well.

     

     

  • Norman RIchards on

    I agree.  This article makes no sense.  It would be the same thing if the researchers were contributing software with security problems to these projects and then "discovering" the problems later.  If that's happened, the article should provide references.  Otherwise, we must assume these researchers are discovering legitimate bugs and are more like the legitimate rat hunters.

  • Anonymous on

    I think what it means is people are trying to create attacks which can be used to exploit the software and then reporting them to mozilla etc....they are informal hackers ( as opposed to crackers) ....

    normally a bug is in the usage of the software... this bug hunting does not bother much with the usage but with the bugs in the code... even if the bug does no harm to almost every case possible.. these guys find out the cases where it harms the system and then report it? probably he meant it that way....??

  • DaveK on

    >"What one designer sees as a feature, another sees as an unexploited bug... add a bounty and the line between identifying bugs and exploiting features begins to blur."

    No, this is nonsense.  The bug bounty programs mentioned only pay for real exploitable security bugs, as you would know if you read their FAQs.  Whether it's a bug in the code or a feature that is capable of being misused is utterly irrelevant; all the bounty programs want to do is uncover vulnerabilities, regardless of their underlying cause.  Perhaps it's slightly misleading to refer to them as "bug bounty" programs rather than "security holes opened by bugs or misdesigned or misimplemented features bounty" programs, but the latter is rather a mouthful.

    And therefore the comparison to rat-farming is still bogus, because the people claiming the bounties are not creating new bugs that previously did not exist.  That's the whole thing about rat-farming: the unintended consequence of paying a reward for rats is that new rats that did not previously exist are created by the farmers.  But unless the researchers accused in the article are actually deliberately writing buggy code and submitting it as contributions to the open source side of the projects so that they can subsequently pretend to have discovered the bug to claim a reward, they aren't comparable to rat-farmers, because paying them does not cause new bugs to be deliberately inserted into the code in question.

    Dubner's speech was not "insightful".  It was just plain wrong.

  • Anonymous on

    This analogy is based on actual facts or just a weird and very bad idea by someone who has absolutely no clue? Theres no way to know if your rat came from a farm or from the wild, but theres plenty of ways to trace a bug back to the person who is responsible for it.

    Honestly, given the number of checks, peer reviews, unit-tests usually in place for such big companies theres is absolutely 0% guarantee that an intentionally inserted bug by a programmer would make it into the final release of the product.

    Anyone with the slightest amount of talent would be much better off putting his efforts towards writing good code and work on getting a promotion instead of trying to make bank from such an unpredictable scheme at the risk of getting fired.

     

  • Michael on

    The author clearly has no clue about how software is made and how security works in the slightest.  I'm not sure who concerns me more though.  The author or the people trying to defend the nonsence analogy.

    For the fools who thinks  "a rat != a bug, a wild rat == a bug that would affect a user".  All bugs affect users eventually.  The point of the bug hunt in the lab is for the White Hats to find the bug before a Black Hat finds the bug.  A bug in Chrome is probably completely meaningless to any user except once it is found by a Black Hat they start using it to Hack your system.

    Bug Bounties are really more of a race to find a bomb that unless a Black Hat finds it will never go off.

    Unless you have proof that a rouge programmer in a company is deliberatly putting bugs into the software to give them to someone else so they can make some easy cash the anology is completely false and should be recended by the author.

  • Anonymous on

    Yes it's possible for someone working for a vendor to slip a bug into the software, then conspire to collect the reward for its discovery.  But if they did it more than once, the chances of them being caught would be astronomically high.  This article seems to be seven paragraphs of introduction, and one unsupported thesis with a conclusion that makes no sense at all.  Add another few paragraphs of explanation of how bugs can be "bred" and maybe some support for the thesis and it will make a lot more sense.

    No judgement intended - this article just seems to end right about the time it starts to get up to speed.

  • Hentes on

    This is bullshit you can't insert a bug into a software from outside. And if an insider would try to do it he would be caught in no time.

  • Anonymous on

     

    Oh and we all know how perfectly QA'd out sourced code to foreign countries (let alone domestic) is... The emergency patches companies send out MUST be a ruse for support $$.

     

    How they protect the code bases with perfect segregations of duties...

     

    How they could NEVER accidentally or intentionally install or distribute malicious code ..

     

    History has NEVER given us examples those things happening..

     

    This could NEVER be exploited by a disgruntled bunch of programmers

     

    Get off the high horses peopleā€¦ its plausible

     

  • Anonymous on

    This has got to be the most confusing analogy I've ever read. The biggest difference between rat farming and bug hunting is that with rat farming, the supply can be manipulated. For bug hunters, the supply is delivered by the product/company, which cannot be manipulated by the hunters themselves. Your post is very confusing.

  • Anonymous on

    No, it's not even a little bit plausible.

    Any software that offers bug bounties will track its source code using a modern source control revision system.

    If the bug bounty system is maliciously exploited by introducing malicious bugs, there will exist in the revision system a traceable log of who introduced the malicious bugs and how.

  • JH on

    I think it's dishonest to add paragraphs to the article, without noting that you have done so.

  • Anonymous on

    So this means everyone and their mother should be calling Dennis Fisher out for being a piss poor journalist. Not only can he not properly report on an analogy that was (I assume) used in the presentation, but he edits the article without indicating that he's done so to make the comments on the article look like people didn't read the article.

     

    As a regular reader of ThreatPost I think I'm going to take my loyalty elsewhere. Clearly we, the readers are the product, and mis-informing us (or reporting the news poorly) isn't a concern. The concern is selling us to the advertisers.

     

    Goodbye ThreatPost, I shall not miss you.

  • Al Nonymous on

    This appears to be just another example of a tech "journalist" trading their credibility for the many, many clicks that result from this type of moronic and controversial trollbait.

  • Anonymous on

    Oy.  So the analogy to rat farming is to say it's not like rat farming at all.  Brilliant.  (as in not brilliant).

  • Anonymous on

    Input Fuzzing: Creating thousands of erroneous inputs into a system in an attempt to find a bug.

    Rat Farming: Creating thousands of random inputs into a system in an attempt to find a bug.

    Q.E.D. 

  • Anonymous on

    Just posting in agreement, Mr. Fisher's article sucks this has no point...it's as bad as McGraw's post the other day....absoulty useless was of time and effort which conveys no information .

     

    "I juggle verbs, adverbs and nouns. And run."

    You do so badly sir....

  • DaveK on

    Oh for goodness' sake, when you're in a hole, stop digging.  Your ludicrous self-justifying post-edit has merely made your article internally inconsistent:

    > "But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are.  [ . . . ] The researchers aren't introducing the bugs into the software, of course; they're simply finding flaws that might not have been found under other circumstances."

    So the researchers aren't introducing them, but they are "being bred in the lab"?  What does that gibberish even mean if it's not supposed to suggest they are being artificially created?  Give it up now before you make an even bigger fool of yourself.

  • DaveK on

    >"Rat Farming: Creating thousands of random inputs into a system in an attempt to find a bug."

    No it isn't, it is breeding rats that would never have existed without the fact that they would be paid for.  The original speaker was making a comparison between a situation in the real world and a situation in software development, so your utterly irrelevant comparison between two situations in software development completely fails to back up the original speaker's bogus analogy.  You just invented a new meaning for "rat farming" that a) wasn't the original speaker's intent and b) was deliberately chosen just to match the thing you wanted to claim it was the same as; that's a circular argument-by-definition.  Q not ED the slightest little bit.

     

  • Anonymous on

    I think many of you are making the common mistake of assuming the researchers he's referring to are the same folks who write the software, or even have any sort of vested interest in the software's usability. Perhaps he could have clarified this. I think what's he's trying to say is that in addition to the in-house bug finders (aka the citizens of South Africa), there are now external bug finders such as security analysts (aka rat farmers from elsewhere) who have little to no interest in cleaning up the software (aka getting rid of the rat problem), but do have an interest in the rewards for submitting bugs (aka rat bodies). I.e. the analysts are looking for bugs strictly for the purpose of submitting them for cash prizes.

     

    I'm not saying he made a good analogy. However, it does seem that many people are confused about in-house developers versus external security analysts. No one is insterting bugs into software.

  • JH on

    @1.01pm 

    So, what part of what you've just described is analogous to breeding a new rat, as opposed to hunting down an existing rat?

    Without that, the story has no point.

  • DaveK on

    Except that the rat farmers were also all south african citizens, they were being farmed in the same back streets where the infestation problem existed, they were not external imports.

    And if nobody is creating new bugs, then "farming" is completely the wrong analogy.  The division you suggest between in-house and external bug finders would be a valid analogy compared to if the South Africans had originally had a force of government-employed rat catchers and then started paying citizens-at-large.  Without any "farming" of new bugs/rats, there is no difference between the in-house people and the external ones because they both *are* cleaning up the problem; the problem can only fail to be cleaned up if new rats/bugs are being deliberately created.

    The point about the rat farmers is not that they were motivated by money and someone else was just motivated by wanting to get rid of rats for the general good of the world; the point of mentioning rat farming is that it turned out to be an unintended consequence of the rat bounty.  There is no such unintended consequence either extant or even possible for the bug bounty, and that is why the analogy is invalid.

     

  • sam on

    Oh my God! You somehow made the article worse with your stealth edit.

    You don't think that perhaps the entire reason for running a bug bounty program is to get more bug submissions? But you are so amazed and shocked by the fact that it wors as planned you have to write a nonsensical article comparing it to the undersirable side effect of something else?

    Thanks for making me dumber and ensuring this site doesn't end up in my daily reading list.

     

     

  • Anonymous on

    That's not how you do it: You feed the rats to the cats and the cats to the rats and get the cat skins for nothing.

  • sam on

    @DaveK -  1:58pm

    There are some possible unintended consequences of  bug bounty program. Off the top of my head someone finding an obscure bug that isn't a security issue and instead of submitting it sitting on it in the hopes a future change will make is a security issue so that a bounty can be claimed.

    Not that that helps the ridiculous article since it didn't even mention anything along those lines. Or that they have actually occured, but in theory...

  • Anonymous on

    How Bug Bounties Are NOT Like Rat Farming There, fixed that for you.

  • Anonymous on

    Reminds me of the Dilbert strip, where after instituting a reward program when its programmers fix bugs, Dilbert says, "I'm going to go write myself a sports car".

    That's where the breeding rats analogy applies, but not to external researchers. 

  • Wh1t3Rabbit on

    Wait ...how do those who have been commenting that they don't get it ...not get it?  It's perfect ...just the way Dubner's books are...genius.  He's demonstrating that the bug bounty programs had the opposite effect of a similar bounty program on dead rats.

    Great analogy, love the Freakanomics series and Dubner's work.

  • Alan on

    Is a bug that is never found really a bug? If you answer no, then one could argue that offering a bounty that leads to the discovery of bugs that would never have been found is akin to the bounty creating new bugs. Since we can't tell the difference between a bug that would never be found and one that would be found and exploited, finding as many bugs as possible and getting them patched is a good thing.
  • Barbara on

    The article originally ended with " But are those bugs being bred in the lab by researchers just to be led to the slaughter for a nice payday? Yes, yes they are. And that's a good thing."

    Introducing two extra paragraphs after people have called you out on being foolish now gives us reason to call you out on being dishonest as well.

    First rule, when you've dug yourself into a hole, is to put down the shovel.  There are far too many people who saw the original article, and who have commented on its' silliness elsewhere, to "'splain away" this.

  • Anonymous on

    fail

  • Dennis Fisher on

    I clearly didn't explain what I meant very well in this piece. Sorry about that. I was *not* claiming that researchers somehow introduce flaws into the applications that they're looking at as a way to claim bogus rewards. All I was trying to say was there are some unintended consequences for some of these ideas, as Dubner pointed out in his speech, some of them positive, some negative. The software vendors have accrued a lot of benefits from their bug bounty programs, and so have users, by extension.

    I apologize for not being clearer with my thoughts on this. I found what Dubner said interesting, and thought there was an interesting parallel with some parts of security. That's all.

  • Jim on

    Confused IT guy says...huh?

  • Anony-mouse on

    The article's analogy is misgiving and unrelated, and is a patently erroneous representation of what is actually occurring when those who produce software also offer a bounty for the discovery of problems contained within.

    The author should not only post a complete redaction, but an apology for drawing any publicity, whatsoever, to such a poorly written thesis.  What was the target audience here?  Did "Dennis Fisher" really think he could get away with such blatant tomfoolery or did he just have a deadline that he needed to satisfy?  It's almost written as if one were a total industry outsider, comparing 'bugs' to 'rats'.  That's, honestly, the end of the correlation between the two phyla - they're both social pests when one considers them from an abstracted sense.

    Someone remove remind Dennis Fisher that he failed several classes in university and needs to retake them, post haste, before we dig up his transcript and remind him ourselves.  Understood?

  • Michael Coates on

    While I find the analogy to rat farming in this article somewhat confusing and off the mark, I did find it prudent to say the following.

    I'll be presenting at OWASP AppSecUSA this week on the success of the Mozilla Web Bounty program. Slides will be online after the talk.

    http://www.appsecusa.org/talks.html#bounty

     

  • sam on

    @Dennis Fisher 7:16pm

    So what are the negative unintended consequences of the bug bounties? Everything you've said about them is them doing exactly as they are designed to do (have external parties find and report more bugs than they would otherwise).

    Nothing is anything like farming rats to defraud the government.

  • BenAveling on

    I think the title should be "How Bug Bounties Are Not Like Rat Farming".

  • Anonymous on

    What a stupid attempt to create traffic.

  • Anonymous on

    Not only is the analogy flawed, but the story about rats in Joburg is bullshit. See http://en.wikipedia.org/wiki/Perverse_incentive

  • Randy Grein on

    Wow. Is it troll season or are the readers here incapable of understanding written english? The analogy was stated as not exact, the comparison was to demonstrate the financial motive increasing bug exposure - not to claim people were farming bugs. The article was fine as written and exposed something long neglected in IT - financial motivations, applied properly can provide significant benefits in software. Also noted is the cautionary tale of inadvertent consequences with the example of rat farming - not necessarily that developers would deliberately introduce bugs.

  • RAWoD on

    The analogy seems wrong to me also.  I've been in new product development since the drum memories of the LGP-30.  While many postings here are correct -- that "much time is spent testing our software before general release" --  there is still a nagging little doubt in my mind about how security software companies could/can/have "manufactured" alerts in the name of sales.  Time to move on into white-listing code?

  • Anonymous on

    On another side, South Africa would have done wiser to only bounty female rats, not male rats. Therefore, there would be less incentive to farm rats, since that requires keeping as many females as possible and turning in the majority of males for the bounty. Also, by placing a bounty on female rats only, there is at least a nexus on the source of the rat problem (pregnant females).
  • StLouis on

    The author makes a good point and I don't know wny many are upset.  Haven't we suspected for years that AV makers release viruses so that they can "fix" them.  Don't we suspect Google for "mis-directing" results in their search engine?  Follow the money.  If there is a buck to made there will be people that try to exploit it for their gain.  Not everyone (nor most) people wear White hats.

  • JH on

    @StLouis, I agree with you that antivirus makers are probably creating viruses. But the article didn't mention anything of the kind

    @Puzzleduck, Steve Dubner is a smart guy. Freakonomics is a good book. I'm pretty sure he had a solid point to make in his talk, and that Dennis Fisher has got confused in the retelling. I'd love to find out what Dubner actually said.

  • JH on

    I don't know why, but I've chased this down a bit, and found other reports of the talk.

    From what I can tell, Dubner didn't talk about bug bounties at all.

    Dennis Fisher reports what Dubner said about rat farming, then moves on to his own thoughts about bug bounties.

    Dennis -- you need to learn a lesson from this. Your writing needs to make it clear when you're paraphrasing someone else, and when you're introducing your own ideas.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.