Bounty programs could swat more bugs with better tools

Bug bounty programs to spot software flaws have been effective, but there are still bugs remaining. A new study suggests the best improvement to bounty programs could be focusing some attention somewhere else: Bug finding tools.

There's no question that bug bounties – rewards offered for information about software flaws – have been useful in finding and fixing vulnerabilities affecting countless tech companies. 

In fact, Google announced in February that it was so happy with its "Pwnium" program to find bugs in the Chrome browser, it would expand the budget to "infinity million dollars." The success of bug bounties has even spawned a cottage industry of companies that run bounty programs. HackerOne, for example, operates bounty programs for Twitter and Yahoo. 

But even with the rewards that businesses are offering, many vulnerabilities still go unreported to firms whose software needs to be repaired. The problem is that interested third parties – both foreign and domestic government agencies and sometimes criminals – are willing to pay handsomely for the bugs to use for their own means. 

Companies offer bounties that range from mentions on a website or T-shirt or payment that's rarely more than a few thousand dollars. Facebook, for example, payed an average $1,788 per vulnerability last year. But corporate rewards are no match for open market values. Major vulnerabilities can sell for tens or hundreds of thousands of dollars. 

And as long as that shadowy market exists, the question is how to shift the balance of power in the vulnerability marketplace from people looking to purchase bugs they plan to exploit to people who plan to fix them. Or, in industry terms, how can we dry up the market for offense and expand the market for defense? 

The solution might be to create an entirely new marketplace. 

New research that will be presented next week at the RSA Conference on computer security in San Francisco says that bug bounty programs should be joined by tool bounty programs.

“If you talk to people in the offensive market, they don’t use tools,” says Katie Moussouris, chief policy officer of HackerOne, who coauthored the paper with Michael Siegel, principal research scientist at the MIT Sloan School of Management 

"They’re like Neo in 'The Matrix,' able to see the woman in the red dress right away," says Ms. Moussouris. "Improving tools benefits defense way more than offense."

Moussouris is putting her money where her mouth is. The Internet Bug Bounty Panel, a service supported by HackerOne that provides bounties for unfunded open source development, is starting to offer rewards for new tools, as well. The panel will even retroactively provide rewards for tools that have already been built. 

Some tools do exist. One called a fuzzer is a program designed to use random inputs to crash other systems. Then, an additional tool can be used to check if those bugs could cause security breaches. But, until now, there hasn't been much incentive to produce and publicize tools – other than the Internet equivalent of civic pride.

The research from Moussouris and Dr. Siegel shows that tools are more than just a viable option for improving defense without impacting offense. It also shows that the obvious solution to improving the defensive vulnerability market – outspending offense – may not work.

Last year, Dan Geer, the chief information security officer for the CIA-affiliated investment firm In-Q-Tel, argued that the US should pay hundreds of thousands of dollars for any vulnerability. That way, he said, it would cut off the nefarious use of the flaws. 

But one problem with that approach, says Moussouris, is that that kind of incentive program would encourage researchers to go after low hanging fruit – bugs in new, less-vetted products rather than what older, widely adopted ones. A second would be that it would encourage high turnover in software developers. Why stay at Apple, for instance, if your experience working with iOS could help you find millions of dollars in bugs?

The need for better bug-hunting tools is getting support within the security industry. 

"Publicly available tools are many years behind the state of the art," says Dan Kaminsky, chief scientist of the security firm White Ops, which is famous for finding a bug in the fundamental architecture of the Internet.

Mr. Kaminsky is a late convert to bounty programs – before the first ones succeeded, he was loudly against them. He worried that, without some level of quality control, companies would bankrupt themselves paying off people who found minor issues that didn't really rise to the level of threats.

Programs such as HackerOne and its competitor, Bugcrowd, saved the system by being able to competently evaluate which bugs were wastes of time, he says.

In fact, some see more promise in the Internet Bug Bounty Panel's formal recognition of useful tools than in legitimate bounty programs. 

“It occurred to me that, if IBB is funding tool research, it delineates where the most effective tools are,” says Tod Beardsley, the engineering manager of the Metasploit penetration testing tool the security firm Rapid7. "This gives a solid hand in guiding people to things that are legitimately new."

Mr. Beardsley acknowledges he is a little biased against paying for bugs – the Metasploit software is developed by fiercely loyal volunteers working for no rewards. If offering rewards for tools to discover bugs proves more effective than offering, well, nothing, he joked, “we’re out of a job.”