Of Bugs and Bounties
When vendors first began crediting security researchers for reporting vulnerabilities in their products, the reward typically was your name in 12-point Arial at the bottom of a security advisory*. Those days are long past, and the bug bounty game has changed so dramatically now that independent security researchers can make a very comfortable living by finding bugs in the right kinds of products.
The latest big-name company to join the bounty world is Uber, which announced its first public bug bounty program this week. Uber has been running a private version of this program for a few months now and decided to open it up to the wider research community. The company is offering up to $10,000 for the highest-severity vulnerabilities, and also has put together a unique structure for the program that will allow researchers to earn higher bounties for finding more bugs in Uber’s products. It’s a kind of frequent-finder system for vulnerability researchers.
In the span of a few years, bug bounties have gone from a novelty to a small but growing industry. Companies such as Bugcrowd and HackerOne have sprung up to help other firms manage these programs, and most of the major software and Internet companies have established some form of reward system. Google, Facebook, Adobe, Amazon, eBay, and many others have bounties, and even Microsoft, which had resisted the idea for a long time, now offers some lucrative rewards for certain types of vulnerabilities. Some of the rewards can run into six figures from companies such as Google and Microsoft, depending on the kind and severity of the bug.
But while bounty programs are vital and have contributed greatly to the security of many products and sites, they should not be seen as a cure-all or a replacement for a strong internal security culture at a company. Software security requires that engineers and developers start thinking about the security and reliability of their products from the earliest stages of the design process. That’s where an internal security culture is vital, because outside help typically isn’t part of that process. It’s up to the company’s own developers to get it right.
But once a product is released into the world, things change. When customers, researchers, and attackers start using and misusing the product, bugs tend to surface and it’s difficult for an internal team to find them all, especially when they’re focused on building the next product.
“Even with a team of highly-qualified and well trained security experts, you need to be constantly on the look-out for ways to improve. This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber,” said Joe Sullivan, chief security officer at Uber.
It’s nearly impossible to know the ratio of vulnerabilities discovered by internal QA and security teams before products are released and those discovered by external researchers after release, because companies typically don’t release data on internal bug discoveries. But we do know that many of the companies that offer bounties right now also employ some of the better security researchers in the industry. The best examples are Google and Amazon, both of which have large, diverse, and highly talented internal security teams. These companies know that there is clear value in rewarding external researchers for their work, but also understand that internal teams know their products better than anyone and may find issues that no one else could.
Each approach has its own value, and employing both gives companies the best chance of making their products as secure as possible.
*Credit: Katie Moussouris, HackerOne