I expected some whining from a couple of software companies about my refusal to test their software for free. I got a couple of emails about that, but what surprised me more was the response I got from a trusted colleague (and friend) Lenny Zeltser. Lenny wrote:
While some companies have mature security practices that can incorporate a bug bounty program, many organizations don't know about the existence of the vulnerability market. Such firms aren't refusing to pay market price for vulnerabilities--they don't even know that vulnerability information can be purchased and sold this way. Should vulnerability researchers treat such firms differently from the firms that knowingly choose not to participate in the vulnerability market?As luck would have it, I'm actually at a small security vendor conference in Atlanta, GA today. I polled some vendor representatives to find out whether or not they are aware of a bug bounty program for their software. I also asked whether they are aware of the vulnerability market. The results were fairly telling. First, let me say that this is not a good sample population (but was used merely for expediency). Problems I see with the sample:
- These vendors self selected to attend a security conference. Most of them sell security software. They are probably more "security aware" than other vendors and therefore may have more inherent knowledge of security programs (vulnerability market and bug bounties).
- The people manning the booths are most likely not app developers and probably not involved with the SDLC or vulnerability discovery.
I can only say that attitude is myopic at best. Practically speaking, if you don't have any vulnerabilities, then a bug bounty program costs you nothing. Why not implement one? You need a policy drafted, some legal review, a web page announcing the program, and some staff to respond to vulnerability reports (note: you'll need the last one anyway, so it's not an additional cost). I'd like to take the position that a bug bounty is never a bad idea. If you disagree, please tell me why. I'm serious about this. If you or your company does software development and you refuse to implement a bug bounty, please share your reasoning (post it here as a comment if you care to so everyone can see). If your reasoning is purely philosophical, I'm sorry to tell you I think that ship has sailed. I'd like to collect a sample set of reasons that companies either refuse to pay bug bounties at all or want to get by without paying market prices.
In my next post, I'll address the second part of Lenny's comment: should vulnerability researchers treat smaller, immature organizations differently than those who knowingly refuse to participate in the vulnerability market. Look for that post early next week.