The booming rewards on offer to researchers hunting software security flaws risks breeding a culture of entitlement, according to one of the UK’s most successful bug hunters of recent times, James Forshaw of pen-testing firm Context Information Security.
As the researcher awarded the first ever Microsoft $100,000 (£66,000) bounty ‘jackpot’ last October you’d expect Forshaw, 35, to stick up for the idea of handing over money for flaws, but during a conversation with Techworld his doubts about the direction of a burgeoning industry quickly surface.
That direction is that a growing range of vendors now run programmes in which a global cottage industry of fulltime, freelance security researchers sell them vulnerabilities in return for money.
Measured and thoughtful, Forshaw’s anxiety is that the growing money on offer could breed a bad attitude in some quarters, the expectation of reward from any affected vendor.
“Your biggest problem is when people demand money,” he says. “People will try to blackmail companies, they will stamp their feet.”
The bounty industry started a decade ago in contentious circumstances when specialist firms such as TippingPoint (now owned by HP) and iDefense started shoving cash at the shadowy coders who’d twigged that software was full of valuable and dangerous vulnerabilities people would pay to know about first.
These days, software brands including Mozilla, Google, and Microsoft have reluctantly joined in this party, setting up programmes that offer rewards for responsible disclosure of flaws in their (and usually only their) software.
It’s been apparent for years that professional criminals have been driving the market with reward programmes of their own which nobody paid much attention to until it turned out that some of these ‘criminals’ included nations states out to subvert one another.
Heads were banged together across the industry and the tide has now turned in favour of treating it like a market rather than a moral obligation. Vendors will never compete with criminals for rewards but at least they can drive up the price and perhaps keep some of the worst flaws - zero days - off the supermarket shelf.
Vendors have also realised that they can look foolish when researchers start publically discussing their programmes, or more often lack of them. Ask Yahoo, which last year turned out to be offering $12 t-shirts in return for serious flaw disclosure, almost worse than offering nothing at all. A few bad headlines later and Yahoo became the latest software house to set up a formal programme with rewards of up to $15,000 for top flaws.
“It’s getting to the watershed moment. It [payment] is now seen as the rule rather than the exception,” notes Forshaw. “The fact that vendors are putting up the money does legitimise the market.”
As to introducing software liability Forshaw is sceptical, worrying that it would kill the risk-taking and innovation that is the point of software.
“If you start charging companies you start dis-incentivising them to produce new features.”
The volume of flaws is a direct consequence of this innovation as much as the lack of formal software development lifecycles that build in security from scratch to stop vulnerabilities from occurring. That would be too complex and expensive for many firms that already rely on getting outside coders to turn around new software as rapidly as possible. Mistakes inevitably creep in and security gets a lower priority.
“Secure programming is a nice ideal,” says Forshaw, sceptically.
What about more recent ideas such as setting up a global repository or programme for buying flaws across all vendors, not just those rich enough to hand out money to professional bounty hunters?
Again, because the supply of serious vulnerabilities is always large, “outbidding the bad guys would not necessarily make the world more secure.” The expense would be huge and that’s before considering the effect of states bidding for flaws for their own use, he says.
That is a tough one to answer. Even if the software industry collaborated, governments would need to be part of the programme the better to feed reported flaws via national CERTs. Yet, by the same token, the governments are happy to use a private stock of flaws in cyberwarfare when it suits them. Checkmate.
For the record, Forshaw’s widely-publicised reward went not into his own bank account but to fund the research he is left alone to do as part of his day job working for ContextIS.
As Forshaw puts it of the bugs he’s been paid for, “It keeps me ticking along doing the things I like doing but there is always a question of how research pays for itself. It keeps the accountants at bay.”
As head of vulnerability research, his success highlights an issue that tends to get lost when the issue of bug bounties gets batted back and forth; even now vendors aren't that interested in paying their own staff to do this sort of job, despite the sometimes serious consequences when unpatched vulnerabilities are used in real-world attacks.
The fact that Context IS – a firm that makes its money offering a range of forensics services – allows him to spend time on something that doesn’t always have much of a commercial pay-back remains an oddity in the UK. In Britain, flaw hunters do it for love or money but usually always alone.
“The ‘no more free bugs’ mantra has been used for a number of years, but perhaps we have finally reached that point. This might increase the future risk that if the bounty programs are scaled back it could irritate researchers sufficiently for them to go to full disclosure or to sell into less legal markets which is bad for the majority of the users of the Internet,” mused Forshaw in an earlier, unpublished article.
“Where bounty programs go from here is unclear.”
Today, if Forshaw is not the UK’s only successful bounty hunter, he remains the only one to receive serious money from Microsoft in return for a piece of bad news.