The Joys of Running a Bug Bounty Program

When Barracuda Networks started its bug bounty program about three months ago, company officials weren’t exactly sure what to expect. They didn’t know whether there’d be an onslaught of submissions or the sound of crickets chirping. The reality turned out to be somewhere in the middle.

Bug bounty programWhen Barracuda Networks started its bug bounty program about three months ago, company officials weren’t exactly sure what to expect. They didn’t know whether there’d be an onslaught of submissions or the sound of crickets chirping. The reality turned out to be somewhere in the middle.

Barracuda established its bug bounty program in November, following in the footsteps of more prominent vendors such as Google and Mozilla, both of which have had such offerings for some time and have paid out tens of thousands of dollars in rewards to researchers. Google in particular has seen researchers respond quite well to its reward program and the company often pays out upwards of $15,000 in rewards when it releases a new version of Chrome that includes bug fixes.

Barracuda, by contrast, doesn’t have products that are quite as ubiquitous as those offered by Mozilla or Google, so company officials knew that the program would be a little different from the existing ones. Overall, the company has been getting about 10 bug reports a month, none of which has been very serious. But that doesn’t mean the program hasn’t been a success.

“A big part of the reason we did it is the cultural shift from about 10 years ago where no one wanted bugs reported and you might get a legal response from the vendor. The next step was people accepting bug reports willingly and now its making the next step to companies like ours and Google and Mozilla actively soliciting bugs,” said Daniel Peck, a research scientist at Barracuda who will talk about the experience of the reward program in a talk at the BSides San Francisco conference next week.

One thing that Peck and his team discovered is that there are a number of researchers who want to participate in the program but don’t have access to a Barracuda box. So the company is considering setting up a kind of hack lab environment that would give researchers access to the company’s products for a given amount of time, say 24 or 48 hours, and let them take a swing at finding some bugs.

Peck said that Barracuda also had run into the same problem that Google and others have: hackers don’t pay much attention to directions. The company set out specific parameters for what kind of vulnerabilities in which products were in scope for the rewards, but some researchers still submitted flaws that were out of bounds, including bugs in partners’ products or in the Barracuda corporate Web site.

Also at BSides next week, Ray Kelly, manager of client-side security technologies at Barracuda, will give a talk on ways that users can abuse the APIs in the geolocation features of tools such as Facebook, Foursquare and others.

“This isn’t particularly new, but now the incentives are bigger, because companies are using this stuff as a marketing tool and offering things like free trips and Mazda is even offering a free car,” Kelly said. “I don’t think they’re thinking about the problems. This is about the companies needing to know that this stuff is out there.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.