Vulnerability Bounty Hunters

Bounty hunter. The term conjures up images of anti-heroes and rogues with awesome weapons and tactics in pursuit of the most dangerous criminals (or maybe just mullets). So it may be a surprise that the network security industry has its own version of these vigilantes for hire. Only, instead of searching out dangerous criminals, independent researchers are tasked with discovering and reporting software vulnerabilities.

Unlike modern bounty hunters, an independent researcher only needs to decide that they would like to hunt for software vulnerabilities, then go out and do it. When researchers discover a software bug they can then choose to report it to the appropriate authority (a software vendor, a security company, or the US-CERT). For years, independent researchers did this for peer recognition or from the goodness of their heart.

However, it soon became clear that less scrupulous researchers did this to find and exploit vulnerable programs or to sell these vulnerabilities to criminal organizations. The value of these black market transactions can only be estimated but the most high-impact vulnerabilities can sell for as much as a million dollars. To combat this practice, security vendors developed bounty programs to encourage responsible disclosure and increase research efforts.

While many security companies have offered bug bounty programs, there is now a growing trend of vendors offering rewards of their own. For example, Facebook announced its own program in 2011 and has already awarded $190,000 for original, responsibly-disclosed vulnerabilities. Google has awarded $700,000 since its bounty program debuted in 2010. Microsoft refuses to pay for vulnerabilities, but is focusing on a new strategy to block an entire class of vulnerabilities for a single lump sum of $250,000.

Whether it works or not, Microsoft’s strategy focuses on a long-term solution, which is admirable. Unfortunately, this strategy neglects to address the immediate threat. In effect, vulnerabilities are the keys to a successful cyber attack; therefore the search for these bugs is a constant arms race. By refusing to pay for vulnerabilities, Microsoft reduces the available outlets for responsible disclosure. Fortunately, companies such as HP TippingPoint and VeriSign iDefense are able to pick up this slack with their highly successful vulnerability bounty programs.

In the end, there is a market for everything. The reality is that software vendors face deadlines, budget constraints, and increasing pressure for new features and capabilities. All of these factors ensure that software vendors will not be able to produce flawless programs. Software vendors must improve secure development processes, increase quality testing, and hire penetration testers (and overall have shown tremendous improvement in this area already). This will reduce the number of vulnerabilities and especially the “low-hanging fruit.” But there will always be software bugs. Vendors must be ready and willing to reward researchers for their efforts or prepare to lose business after the next data breach.

****

Industry Analyst Chris Rodriguez can be found knee-deep in spreadsheets or messaged here. 

For additional information about vulnerability research, check out Frost & Sullivan’s quarterly study entitled Analysis of the Global Vulnerability Research Market in Q3 2011 or learn more about Network Security.