Wednesday, October 2, 2013

Pay to play

I'm a big fan of responsible disclosure - when you pay me for it. What I'm not into is doing vulnerability discovery on a product for free.  Let's face it: if you paid your developers better (meaning you bought better developers), you wouldn't need me to do vulnerability discovery for you.  It's really a case of pay now or pay later.

Now I know what you're thinking: huge companies like Microsoft have top notch developers, but because of the complexity of their code they have issues.  I'll agree with that. But here's the rub: if they are that big, they have money. They clearly can also pay to get code review and binary analysis done on their own code.  I view paying independent security researchers as an alternative to (or extension of) the internal code review team.

At the end of the day, the point is that I don't work for free. I don't do anything for free. You don't give me free software, why should I give you free vuln discovery? If you're looking at this blog post, trust me, in the end it's financially motivated. What's my angle? I'm trying to get additional companies to start paying for vulnerability discovery/disclosure (and that's a good thing for me).

Bug Bounties
There's been a flurry of news this week about the Yahoo XSS bug bounties that paid a whopping $12.50. To add insult to injury, there are some reports that the $12.50 could only be spent in the Yahoo swag store. Facebook tried to skate on a bug bounty last month, albeit for a horrendously written vulnerability report.  But at least these companies actually offer bug bounties.  What does it say about a company that doesn't offer bug bounties? I don't know, but while bug bounties are back in the news, let's examine one rather extreme case of "we don't do that here."

What if we don't offer a bug bounty?
Box.com is a great example of a company that refuses to even offer bug bounties.  But they go a step further than simply not offering bug bounties and use veiled threats of legal action to force researchers to comply with their responsible disclosure standards.

While this is probably the most egregious example I've seen, I have a real problem with companies that don't pay bug bounties but then get all butt hurt when you disclose a vulnerability.  There's a vulnerability market out there, and companies need to understand that they can either enter the market (in the form of bug bounties) or lose to any other bidder. If you develop software and don't offer a bug bounty you deserve whatever disclosure comes your way.  While we're on the topic of bug bounties, it might be worth noting that vulnerability discovery is a purely speculative market, but so far money paid to researchers in bug bounties doesn't really reflect that. I expect that to change as nation states and private firms begin developing increasingly sophisticated offensive cyber capabilities.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.